operational risk management: principles and...
TRANSCRIPT
OPERATIONAL RISK MANAGEMENT: PRINCIPLES AND
FRAMEWORK FOR GOVERNMENT DEBT MANAGEMENT
IN THE MEFMI REGION.
Olive Gitau
Central Bank of Kenya
Mentor: Mike Williams
A Technical Paper Submitted in Partial Fulfilment of the Award of MEFMI
Fellowship
October 2017
Macroeconomic and Financial Management Institute of Eastern and Southern Africa
ii
Abstract
This paper introduces the concepts of operational risk management (ORM) as it should be
applied to government debt management (DeM) in MEFMI member countries. It aims to
provide a practical roadmap towards managing operational risks in DeM through a step by step
presentation of the key principles, framework and techniques for ORM by debt managers.
The study is mainly based on primary data from use of questionnaires to explore and obtain
information on the practice and implementation of ORM principles, framework and techniques
in DeM operations in MEFMI countries. The primary data were supplemented with secondary
data from MEFMI member countries’ DeMPA reports, where available.
The study sought to establish whether there are adequate ORM principles and frameworks in
Debt Management Units (DMUs) within the MEFMI region. Gaps were identified in terms of
poor policies and procedures, inadequate governance structures, and poor culture and
awareness of ORM. There was limited practice of the usual six-step process in setting an ORM
framework and limited practice of ORM techniques/tools.
The study suggests that there is a need for practical exposure and capacity building within the
MEFMI region on ORM principles, framework and techniques for effective DeM. Debt
managers can make improvements incrementally, factoring the resources available; since
effective ORM is not all or nothing. This could be facilitated by partnering or collaborating
with other institutions that would be willing to support. The paper will therefore be of value to
government debt managers and offers policy recommendations on the practical application of
ORM principles and frameworks.
iii
Acknowledgement
I am thankful to the Almighty God for giving me the health and strength to complete this stage
of the MEFMI program. I acknowledge and appreciate the support of the MEFMI Secretariat,
my employer the Central Bank of Kenya and my mentor, Mr. Mike Williams in steering me in
the right direction.
I profoundly thank MEFMI member countries and Mauritius for the questionnaires feedback
during the information gathering process.
Last but not least, I am very grateful to my husband, Mr. Gitau, our lovely boys Bethel and
Lucas, for their unwavering support and understanding while writing this technical paper.
iv
Table of Contents
Abstract ………………………………………………………………………………………..ii
Acknowledgement ................................................................................................................... iii
Table of Contents ...................................................................................................................... iv
List of Figures ........................................................................................................................... vi
List of Tables ........................................................................................................................... vii
Acronyms ............................................................................................................................... viii
1.0 INTRODUCTION ....................................................................................................... 2
1.1 Background ..................................................................................................................3
1.2 Statement of the Problem ............................................................................................5
1.3 Objectives of the Study ...............................................................................................6
1.4 Research Questions .....................................................................................................7
1.5 Hypotheses ..................................................................................................................7
1.6 Significance of the Study .............................................................................................8
2.0 LITERATURE REVIEW ............................................................................................ 9
2.1 Introduction .................................................................................................................9
2.2 Institutional Framework ..............................................................................................9
2.3 Types of Operational Risk Exposures .......................................................................10
2.4 Principles for Operational Risk Management in Debt Management .........................11
2.5 Drivers of Operational Risk Management .................................................................15
2.6 Operational Risk Management Framework ...............................................................17
2.7 Managing and Integrating IT Risks into the Operational Risk Framework ..............23
2.8 Building Blocks of an Operational Risk Management Framework ..........................24
2.9 Business Continuity and Disaster Recovery Planning (BCP/DRP) ..........................29
2.10 Empirical Literature ..................................................................................................30
3.0 RESEARCH DESIGN AND METHODOLOGY ..................................................... 32
3.1 Research Hypothesis .................................................................................................32
3.2 Research Design ........................................................................................................32
3.3 Study Population .......................................................................................................32
3.4 Research Methodology ..............................................................................................32
3.5 Design of Research Instrument and Data Collection ................................................33
3.6 Data Analysis .............................................................................................................33
4.0 DATA ANALYSIS, PRESENTATION AND FINDINGS ...................................... 34
4.1 Overview ...................................................................................................................34
4.2 Structure and Performance of the Debt Management Functions ...............................35
4.3 Implementation of ORM in the DMOs .....................................................................37
v
4.4 Existence of and Constraints to Sound Operational Risk Governance Practices in the DMOs ..................................................................................................................39
4.5 Practice and Constraints of Appropriate Risk Management Environment in the DMOs ........................................................................................................................41
4.6 Design and Acceptance of ORM Framework in the DMO .......................................42
4.7 Constraints to Implementation of ORM Drivers in the DMOs .................................43
4.8 Overall Implementation of ORM Framework in the MEFMI Region DMOs ..........44
4.9 Implementation of the Six-step Process of ORM Framework in the DMOs ............45
4.10 Familiarity with techniques of operational risk management framework .................49
4.11 Current implementation of the ORM framework techniques in the MEFMI region 49
5.0 RESULTS DISCUSSION ......................................................................................... 51
5.1 Discussion of Hypothesis One ...................................................................................51
5.2 Discussion on Hypothesis Two .................................................................................51
5.3 Discussion on Hypothesis Three ...............................................................................52
5.4 Discussion of Findings ..............................................................................................53
5.5 Summary ....................................................................................................................56
6.0 CONCLUSION AND RECOMMENDATIONS ...................................................... 58
6.1 Practical Application to the MEFMI Member Countries ..........................................58
6.2 Policy Recommendations ..........................................................................................60
6.3 Conclusion .................................................................................................................62
REFERENCES ........................................................................................................................ 65
APPENDICES ......................................................................................................................... 68
vi
List of Figures
Figure 1: Simplified debt management governance structure .................................................10
Figure 2: Corporate governance and decision making structures ............................................12
Figure 3: Operational risk management environment .............................................................17
Figure 4: Operational risk management framework Six-step process .....................................18
Figure 5: Loss severity distribution .........................................................................................27
Figure 6: Assessment of DeMPA Results in MEFMI Region with performance of C or
above ...................................................................................................................31
Figure 7: Placement of respondents in Debt Management Office (DMO) ..............................34
Figure 8: Structure of DMO is divided into: Front office; Middle office; & Back office .......35
Figure 9: Performance of principal debt management functions .............................................36
Figure 10: Operational risk and general risk management practice ........................................38
Figure 11: Responsibility for overall risk management and operational risk management ....39
Figure 12: Familiarity with operational risk management .......................................................40
Figure 13: Implementation and development of ORM principles in the respondent
countries DMOs ..................................................................................................41
Figure 14: ORM drivers influence to the design and acceptance of ORM framework in the
DMO ...................................................................................................................43
Figure 15: Constraints to implementation of ORM drivers in the MEFMI Region Countries
DMOs .................................................................................................................44
Figure 16: Implementation of an ORM framework in the DMOs ...........................................45
Figure 17: Implementation of the six-step process of ORM framework in the DMOs ...........45
Figure 18: Implementation of step one of ORM framework ...................................................46
Figure 19: Implementation of step two of ORM framework ...................................................46
Figure 20: Implementation of step three of ORM framework .................................................47
Figure 21: Implementation of step four of ORM framework ..................................................47
Figure 22: Implementation of step five of ORM framework ...................................................48
Figure 23: Implementation of step six of ORM framework ....................................................48
Figure 24: MEFMI Region countries familiarity to the techniques of ORM framework ........49
Figure 25: Utilization of the ORM framework tools in the DMOs within the MEFMI region
............................................................................................................................50
Figure 26: MEFMI Countries Debt to GDP Ratio (Year 2010 to 2014) .................................73
vii
List of Tables
Table 1: Types of Operational Risks .......................................................................................11
Table 2: Risk exposure matrix .................................................................................................20
Table 3: Examples of Controls ................................................................................................21
Table 4: Examples of Incidences .............................................................................................24
Table 5: Examples of key risk indicators .................................................................................28
Table 6: Presence of signed agreements within the MEFMI region ........................................36
Table 7: Reasons for low performance in DeMPA DPIs of ORM ..........................................37
Table 8: Risk management practice and performance in the MEFMI region countries ..........38
Table 9: Response on implementation of ORM framework in the DMOs ..............................44
Table 10: MEFMI region practice of the tools for ORM within the DMOs ............................50
Table 11: Summary of implementation of some ORM practices within the MEFMI region
DMOs .................................................................................................................54
Table 12: Summary on ORM improvement and prioritisation areas for policy adoption .......61
Table 13: Response rate ...........................................................................................................68
Table 14: Quality of respondents .............................................................................................68
Table 15: MEFMI region countries response to the best practice DMO structure ..................69
Table 16: MEFMI region implementation and development of ORM principles in the DMO
in % .....................................................................................................................69
Table 17: Different aspects of the three drivers of ORM and their percentage representation
on influencing design and acceptance of ORM framework in the DMO ...........70
Table 18: Implementation of the six-step process of ORM framework in the DMOs ............71
Table 19: MEFMI Countries Debt to GDP Ratio (Year 2010 to 2015)...................................73
viii
Acronyms
BCP – Business Continuity Plan
BCP/DRP – Business Continuity and Disaster Recovery Plan
BIA – Business Impact Analysis
BIS – Bank for International Settlements
COSO – Committee of Sponsoring Organizations of the Treadway Commission
DeM – Debt Management
DeMPA – Debt Management Performance Assessment
DMO – Debt Management Office
DMU – Debt Management Unit
DPI – Debt Performance Indicator
DRP – Disaster Recovery Plan
GARP – Global Association of Risk Professionals
GDP – Gross Domestic Product
IMF – International Monetary Fund
IT – Information Technology
KCI – Key Control Indicator
KPI – Key Performance Indicator
KRI – Key Risk Indicator
MEFMI – Macroeconomic and Financial Management Institute of Eastern and Southern Africa
OECD – Organization for Economic Co-operation and Development
ORM – Operational Risk Management
RCSA – Risk and Control Self-Assessment
SAI – Supreme Audit Institution
2
1.0 INTRODUCTION
Risk management policies lie at the heart of government debt management, forming the critical
link between the formulation and implementation of debt management strategy. The
development of these policies poses difficult yet fundamental choices for debt managers and
policy makers in the assessment of different types of risks (Wheeler, 2004). This study focuses
on one of these risk categories: operational risk.
Awareness of operational risk is low in many middle and low income countries, and very few
ministries of finance have a business continuity and disaster recovery plan (BCP/DRP).
Operational risk is often perceived as something applicable only to the private sector and
attracts little attention by senior management. It is not seen as a priority and inadequate
resources are allocated to establish and maintain an operational risk management (ORM)
framework including BCP/DRP. Responsibility is delegated to information technology, and it
becomes a one-off project rather than an integral part of the day-to-day debt management
operations (Storkey, 2011).
The goal for the ORM framework is to identify, assess, monitor, control or mitigate risk
exposures and report to senior management. ORM is linked to the business environment, nature
and complexity of debt management (DeM) operations, the processes and systems in place,
and the quality of management and information flows (Central Banking Publications, 2000).
Although most governments have significant levels of debt to manage, prudent government
DeM is especially important in both frontier and emerging market countries. ORM aims to
ensure the integrity and quality of the operations of the Debt Management Office (DMO) or
Debt Management Unit (DMU)1 under the Ministry of Finance using a variety of tools
including audit, recruitment policies, system controls, risk management programmes and
business continuity planning.
According to Tokaç and Williams (2013), operational risk is the least understood of the DeM
risk categories. It is often endogenous to the institution. Not only can financial losses be severe,
there is also potential for high reputational risks and political damage associated with
operational error or failure. Internal controls should thus be embedded in the DMO’s day-to-
day business and designed to ensure, to the extent possible, that its activities are efficient and
1 Debt Management Office (DMO) which may be a semi-autonomous office and Debt Management Unit (DMU) embedded within the Treasury or Ministry shall be used interchangeably through the paper to refer to the government principal debt management entity.
3
effective, information is reliable, timely and complete, and that the DMO is compliant with
applicable laws and regulations. Sound internal governance forms the foundation of an
effective ORM framework.
This study will seek to determine the level of implementation of ORM principles; the gaps, and
causes of the gaps; to sound operational risk governance; and the appropriate risk management
environment in DMUs within the MEFMI2 member countries. It will also establish the
existence of an ORM framework in the DMU of each MEFMI member country with the aim
of providing policy recommendations on practical application of ORM principles and
frameworks.
1.1 Background
Operational Risk Management
According to the Bank for International Settlements (BIS),3 under Basel II, operational risk is
defined as the risk of loss resulting from inadequate or failed internal processes, people and
systems or from external events. This definition includes legal risk, but excludes strategic and
reputational risk.4
This definition and sound practices – as established by the Basel Committee on Banking
Supervision and elaborated in particular, by COSO5 – were initially and primarily designed for
the banking and financial sector; but the governing principles can appropriately be applied to
government DeM operations. What is necessary is management framework that is appropriate
to the range and nature of government DeM operations and the operating environment,
particularly for low and middle income countries (Magnusson, Prasad and Storkey, 2010).
2 MEFMI member countries are: Angola, Botswana, Burundi, Kenya, Lesotho, Malawi, Mozambique, Namibia, Rwanda, Swaziland, Tanzania, Uganda, Zambia and Zimbabwe. 3The Bank for International Settlements (BIS) is the world’s oldest international financial organisation. It has 60 member central banks, representing countries from around the world that together make up about 95% of the world GDP. The BIS mission is to serve central banks in their pursuit of monetary and financial stability, to foster international cooperation in those areas and to act as a bank for central banks. 4 This definition was adopted by the Basel Committee as part of its work in developing a minimum regulatory capital charge for operational risk. 5 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) – a joint initiative of five private sector organizations dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.
4
ORM is a facet of risk management that focuses on identifying, assessing, controlling and
mitigating operational risks. According to Wheeler (2004), operational risks are managed
through policies concerned with mitigating business risks that could threaten the continuity and
reputation of the DeM operations. Operational risk can be reduced by introducing sound
governance practices. These policies are essential in identifying risk exposures acceptable to
the government, directing the operations of the DMU, ensuring consistency in implementation
of government DeM procedures and in managing high staff turnover.
Government Debt Management
Government DeM is the process of establishing and implementing a strategy for prudently
managing the government’s debt in order to meet the government’s financing needs, its cost
and risk objectives, and any other DeM goals the government may have set, such as developing
and maintaining an efficient market for government securities. The aim of DeM is to ensure
that the government’s borrowing needs are met efficiently and that the stock of government
debt and the incremental debt flows arising from budget and off-budget sources, are managed
in a manner consistent with the government’s cost and risk preferences (Wheeler, 2004:4).
Wheeler (2004:6), emphasises that high quality government DeM can help lower a
government’s debt servicing costs by reducing the credit premium and the liquidity premium
in the term structure of interest rates for government securities. Poor DeM practices have
frequently been cited by the sovereign credit rating agencies in announcing sovereign
downgrades. In addition, if the government’s DeM strategy is poorly designed, implemented
and communicated, it can induce adverse investor sentiment, raise debt servicing costs and
damage the government’s reputation. It can also exacerbate financial market shocks and
instability, limiting resiliency and increasing vulnerability to financial shocks. MEFMI
countries’ debt to gross domestic product (GDP) ratios are illustrated in Appendix 2 as Table
19 and Figure 26.
Operational Risks and Government Debt Management
Government DMUs are responsible for managing costs and risk of the government’s debt
portfolio, which is often the largest financial portfolio in the country. As such, it is very
important that DMUs develop policies and procedures to manage the risks that they face
(Magnusson et al. 2010).
In DeM operations, some categories of risk, such as market risk (exchange rate and interest
rate risk), credit risk, refinancing risk and liquidity risk are relatively well known, while
5
operational risk is not (OECD, 2005). From the Debt Management Performance Assessment
(DeMPA6) performed on the MEFMI member countries, only about 33% had met the minimum
requirements7 for effective debt administration and data security. About 25% demonstrated
effective practice for aspects relating to the segregation of duties, staff capacity and business
continuity plan (BCP), while only 8% met the minimum requirements for debt audit indicator
(MEFMI, 2015), as illustrated in Table 7 and Figure 9.
Weak operational risk management can lead to corruption. Magnusson et al. (2010) quote the
example of the Anglo Leasing Affair in Kenya in 2004. It involved a supplier’s credit with
extremely adverse conditions for the Kenyan government. All payments by the Kenyan
government were transferred to Anglo Leasing & Finance Ltd.’s account with a small bank in
Zurich, and eventually it was discovered that Anglo Leasing did not even exist. The official
report by the Financial Secretary concluded that over the years, the institutional framework for
contracting and managing external commercial loans had collapsed.
This paper follows earlier work done by the OECD, World Bank and International Monetary
Fund (IMF) in learning and sharing experiences on governance and the management of
operational risk. It draws on existing literature on ORM principles and practices that have been
formulated by the BIS Basel Committee on Banking Supervision, the COSO, the Global
Association of Risk Professionals (GARP)8 and DeMPA.
1.2 Statement of the Problem
It is much more difficult to quantify operational risk than credit or market risk. Operational risk
is also more difficult to manage since it is a necessary part of doing business. Operational risk
is difficult to measure and is often seen as a “residual” risk after all the other risks have been
identified. Alan Greenspan calls this “noise” and no mathematical risk models come close to
adequately explaining it (Central Banking Publications, 2000).
6 The Debt Management Performance Assessment (DeMPA) indicator set is a sample of proficiencies of a DMU. The tool was developed to assist countries in identifying the priority areas for improvement, with a particular focus on developing countries. These results relate to 12 finalised DeMPA results for MEFMI member countries. 7 DeMPA indicators are scored on a scale from A to D. Score C or higher indicates that the minimum requirements for effective debt management under the DeMPA have been met; while score D indicates the absence of the same. 8 The Global Association of Risk Professionals (GARP) enables the risk community to make informed risk decisions through “creating a culture of risk awareness®”. They do this by educating and informing at all levels, from those beginning their careers in risk, to those leading risk programs at the largest financial institutions across the globe, as well as the regulators that govern them.
6
According to Magnusson et al. (2010), government’s DeM day-to-day operational risks often
stem from shortcomings in business process, systems and human resource policies. A common
challenge here is to decrease key person risk within the DMO and reduce the multiplicity of
tasks carried out by experienced staff, while at the same time eliminating duplication of
functions within the entity. Wheeler (2004) stated, the most common operational risks tend to
lie on the transaction side (such as errors in data entry, system malfunction, execution of
unauthorised transactions, poor process design), but the most serious ones generally relate to
fraudulent breaches of controls and systems failures. Each carries serious financial and
reputational cost.
Whilst literature exists that supports and provides strategies and ways for identifying,
assessing, monitoring, controlling and mitigating operational risks, the DMUs have not
effectively utilised these resources for optimal ORM (Magnusson et al. 2010). This is
evidenced by the low DeMPA scores of MEFMI member countries on audit and operational
risk management indicators namely: data administration and security, segregation of duties,
staff capacity and BCP.
The basis of this study was to look into the reasons for low rates of meeting the minimum
requirements for DeMPA debt performance indicators of audit and operational risk
management by MEFMI member countries. This was achieved by examining the practice of
ORM principles and framework in DMUs and constraints to the same.
The aim of the study was therefore to identify practical ORM principles, framework and tools,
provide recommendations on how to entrench sound governance and ORM practices in DMUs
through internal and external audit, sound operational risk governance structures, a strong risk
management environment, better risk awareness and culture, and an effective ORM
framework.
1.3 Objectives of the Study
The objectives of this study were to;
a. Establish the current level of implementation of ORM principles by DMUs in MEFMI
member countries.
b. Identify key gaps, and causes of the gaps, to sound operational risk governance practices
and an appropriate risk management environment in the MEFMI region.
7
c. Determine the existence of an ORM framework governing the specific programmes used
in the DMUs for effective ORM.
d. Make policy recommendations for implementing ORM principles and framework in
DMUs of MEFMI member countries.
The study intended to determine whether DMUs in MEFMI member countries have an ORM
framework, to:
a. Identify the current practice and constraints to developing and implementing ORM
framework in the DMUs.
b. Determine the specific ORM framework techniques/tools that have been implemented
for effective operational risks management.
c. Establish the existence of adequate business continuity planning policies within the
DMU.
The study therefore sought to establish the level of implementation of and constraints to
practice of ORM principles, framework and specific tools applied within the MEFMI region.
It would then provide policy recommendations for reforms to enhance the practical application
of ORM principles and policies in the MEFMI countries.
1.4 Research Questions
The paper sought to answer the following questions:
a. Are sound operational risk governance practices developed and in place; and if not, what
are the constraints?
b. Is an appropriate risk management environment, which is a risk culture and awareness
and proper policies and procedures for effective ORM entrenched in the MEFMI region;
and if not, what are the constraints?
c. What is the level of engagement of both internal and external auditors and public
disclosure of the DMU operations in managing operational risks?
1.5 Hypotheses
Hypothesis One: There is inadequate ORM principles implementation in DMUs (that is,
inadequate operational risk governance practices and risk management environment)
negatively affecting government DeM.
8
Hypothesis Two: There is very limited level of engagement of both internal and external audit
in DeM operations by MEFMI member countries.
Hypothesis Three: There is a poor level of implementation of an ORM framework and limited
use of ORM tools within the MEFMI member countries.
1.6 Significance of the Study
The paper is designed to be of value to government debt managers and professionals looking
to develop their ORM frameworks. It will set out a widely applicable and relevant policy
approach and management framework to guide practical implementation of ORM principles.
It will help development partners and counterparties in evaluating the level of growth and
implementation of ORM principles in DeM operations. The paper will present ORM best
practices, framework, tools and BCP methodologies.
The paper will review the operational risks of all DeM operations in a country and provides
integrated principles and framework for ORM. In some countries, the Central Bank is the
government’s fiscal agent and undertakes the function of domestic debt issuance using market-
based mechanisms. The external borrowing function is then run from the national treasury
facilitated by the DMO/DMU (Magnusson et al. 2010). The ORM roadmap to be provided will
be beneficial to all components of the DeM function (whether in the Ministry of Finance or the
Central Bank) and the reform programme is best spearheaded by the reporting entity on
government debt as provided by legislation.
The study will be valuable to the senior management of all DMUs in identifying areas of
improvement for better and effective ORM in supporting sound governance practices. This will
help senior management develop an appropriate risk management environment for proper
communication of risk culture and awareness. It will also help them in engaging both internal
and external auditors to offer assurance on whether the DeM operations have properly
identified and mitigated operational risks, as well as on compliance with legislation and
regulations and facilitating public disclosure for transparency and accountability.
Knowledge of operational risks, ORM principles and framework in DeM is a relatively new
area of study as adoption of ORM remains low in many MEFMI countries. This technical paper
will encourage sharing of information between debt managers within the MEFMI region to
address operational risks in the management of debt. It is likely to set the pace for additional
research for further practical solutions to operational risks by debt managers in all DMUs.
9
2.0 LITERATURE REVIEW
2.1 Introduction
Best practices in risk management integrate key decision making processes to deliver increased
efficiency and quality by establishing prudent policies and management oversight. The risk
management policy framework constitutes the critical connection between the formulation and
implementation of debt management decisions (Blommestein, 2002).
Sound ORM is a reflection of the effectiveness of the Head of DMU or members of the
decision-making board in administering the portfolio of borrowing products, activities,
processes and systems. Sound internal governance forms the foundation of an effective ORM
framework. An integral part of the framework will be the principles for ORM. The following
sets out the principles that might apply to government DeM operations. These are based on
guidelines developed for the banking sector by the Basel Committee on Banking Supervision
(2011), general COSO frameworks and GARP for the creation of a culture of risk awareness
in institutions through educating and informing risk professionals. As noted by Tokaç and
Williams (2013), public sector entities and debt managers are increasingly expected to follow
private sector good practice where it is relevant.
2.2 Institutional Framework
In the context of government DeM, the term governance refers to the legal and managerial
structure that shapes and directs the operations of government debt managers. It embodies the
management framework, covering issues such as the formulation and implementation of
strategy, operational procedures, quality assurance practices and reporting responsibilities
(Wheeler 2004: 49).
Public debt management guidelines by the World Bank and IMF (2014) argue that operational
risks should be managed according to sound business practices, including well-articulated
responsibilities for staff and clear monitoring and control policies and reporting arrangements.
DeM activities should be supported by a comprehensive management information system with
proper safeguards. The organizational framework surrounding DeM should be clearly specified
and roles well designated as shown in Figure 1. Consolidating DeM functions in the same
authority or body enhances efficiency in debt management operations and management of
10
operational risks.9 This enables debt managers to have the operational independence to execute
their objectives and strategies.10
Source: World Bank Group (2015)
2.3 Types of Operational Risk Exposures
The Basel II definition includes legal risk but excludes strategic and reputation risk. However,
the strategic and reputation risk can be caused by both bad ORM and an unexpected
consequence of a government decision. The types and examples of operational risks that are
relevant for government DeM often arise from interaction between both internal and external
factors and are set out in the box below.
A distinction can be made between risks that are internal to DMU which should be under
management control and those that are external but management should have mitigation
measures in place as seen in Table 1 below. Following increased use of debt systems within
DMUs, greater emphasis is now being placed on information security to mitigate the risk of
cyberattacks, hacking and cases of unauthorised system access. In addition, operational risks
9 There is a range of institutional alternatives for locating the public debt management functions, including in one or more of the following: the ministry of finance, the central bank or an autonomous debt management agency. 10 If the central bank is charged with the primary responsibility for debt management, the clarity of and separation between debt management policy and monetary policy objectives especially needs to be maintained.
Figure 1: Simplified Debt Management Governance Structure
11
resulting from external factors are being specifically targeted for mitigation. Natural disasters
generate significant fiscal risk and create major budget volatility (World Bank, 2015).
Table 1: Types of Operational Risks
Internal to the DMU
Infrastructure and Technology Failures
Internally supported systems failure – such as IT software or hardware failure
Poor maintenance
Data corruption including viruses
LAN/WAN/Intranet/Internet failure
Sabotage/disruption/hacking
Theft of data/information/equipment
Process Failures
Poor process design
Policy and analysis failure
Power and physical security failure
Inadequate & unclear documentation
Incomplete data
Failure to follow regulations & legislation
Unauthorised activities
Weak governance structures
Failure of key service providers
Human Resource Failures
Human error (due to poor training or inadequate supervision)
Lack of policy guidance (leading to poor decisions)
Execution of unauthorized transactions
Key person risk
Fraudulent, corrupt or dishonest practices
Theft, fraud
External to the DMU
Business continuity events – flooding, fire, terrorism, industrial action or natural disaster
Building fire or explosion
Failure or errors of suppliers or agents
Legal or commercial disputes
Externally supported systems failure
System attack (hacking)
Source: Tokaç and Williams (2013:12) and Magnusson et al. (2010:5) but modified by author
2.4 Principles for Operational Risk Management in Debt Management
The principles for ORM in DeM are best defined by developing, implementing and maintaining
sound operational risk governance practices, an appropriate risk management environment,
engagement of independent internal and external auditors and providing avenues for public
disclosure. These principles are components of the ORM framework whose goal is to identify,
assess, monitor and control/mitigate operational risks across the institution to ensure
consistency and completeness. These components should be fully integrated in the overall
ORM process of the DMU across all levels.
12
2.4.1 Developing sound operational risk governance practices
Governance is essential for effective ORM. The ORM team needs to have a reporting structure
that provides oversight and an effective route for escalation and approval (Girling P., Shimko
D. and Went P., 2010). The governance approach needs to be practical and must appropriately
reflect the culture of the DMU as illustrated in Figure 2. The importance of ORM and
participation by all staff needs to be signalled by senior management. Each line manager needs
to be made responsible for ORM in their own business area.
Common industry practice as expressed by COSO (2013) for sound operational risk
governance often relies on the three lines of defence – (i) business line management, (ii) an
independent operational risk management function and (iii) an independent review.
Source: Williams (2013)
First line of defence is frontline operating management which lies with function, business and
process owners. This means that sound operational risk governance will require functional line
management to be responsible for identifying and managing the risks inherent in the products,
activities, processes and systems for which it is accountable. Managers own and manage the
risks arising in their area and the control mechanisms adopted.11 Debt managers carrying out
11 The first line owns the risks and the design and execution of the DMUs’ controls to respond to those risks.
Figure 2: Corporate governance and decision making structures
13
the day-to-day operations of DeM are the first line of defence, at the front managing the
operational risks.
Second line of defence, is an independent ORM function. This complements the functional
units’ ORM activities. A degree of independence may be achieved through separation of duties,
independent review of processes and functions and independent reporting structures.12 The
independent ORM function challenges the functional unit’s inputs to and outputs from the
DMU’s risk management and reporting system. It should have a sufficient number of personnel
skilled in the management of operational risk to effectively address its many responsibilities.
The third line of defence, is an independent review and challenge of the DMU’s operational
risk management controls, processes and systems. Those performing these reviews must be
competent and appropriately trained and not involved in the development, implementation and
operation of the framework.13 This independent assessment is done by internal and external
auditors.
A strong risk culture and good communication, among the three lines of defence, are important
characteristics of good operational risk governance (COSO, 2013). Internal audit coverage
should be adequate to independently verify that the ORM principles and framework have been
implemented as intended and are functioning effectively.
2.4.2 Developing an appropriate risk management environment
Senior management should be aware of the major operational risk exposures, approve and
periodically review the ORM framework. They should ensure clarity in implementation
responsibilities and safeguard independent audit arrangements that could act as a check
mechanism on the ORM system (Magnusson et al. 2010). There should be engagement of
systems for identification, assessment, monitoring and control/mitigation of operational risks
both inherent in all activities, processes and systems and those arising externally. This is best
spearheaded from the top with senior management reinforcing risk culture and awareness
through appropriate management oversight. In addition, ensuring transparency and
12 Reporting structure independent of the risk generating functional line will be responsible for the design, maintenance and ongoing development of the operational risk framework within the DMU. 13 Internal and external auditors serve as the third line of defence. The review may be done by audit, staff independent of the process or system under review, or suitably qualified external parties.
14
accountability through easy public access to the documentation describing the legal basis for
DeM policy and operations (World Bank and IMF, 2014).
2.4.3 Building the role of internal and external auditors
Internal and external auditors should independently examine and assess the DMU’s framework
for identifying, assessing, monitoring and controlling/mitigating operational risks. Internal
auditors should evaluate the effectiveness and efficiency of government DeM operations,
including the internal control system, risk management and governance processes (IPPF,
2013). This will provide assurance to the senior management on the performance and
compliance to regulation and legislation over the DeM operations. External auditors should
independently conduct, directly or indirectly, regular evaluation of DeM policies, procedures
and practices related to operational risks (Magnusson et al. 2010).
The DeMPA debt performance indicator (DPI) on audit (DPI-5 dimension one) assesses the
frequency and comprehensiveness of financial audits, compliance audits and performance
audits (of the effectiveness and efficiency of government DeM operations, including the
internal control system and its effectiveness) as well as publication of the external audit reports
(World Bank, 2015). This assessment is to ensure that the DeM activities, policies and
procedures are subject to scrutiny by the supreme audit institutions of each country.
Accountability for government DeM is strengthened by introducing regular audits (both
external and internal) of government DeM activities in relation to (a) reliability and integrity
of financial and operational information; (b) effectiveness and efficiency of DeM operations,
including compliance with the stated DeM objectives and strategy (if available); (c)
effectiveness of the internal control system; and (d) compliance with laws and regulations.14
2.4.4 Provision for public disclosure
The DMO should make sufficient public disclosure to allow government and market
participants to assess its approach to ORM. This should include a statement setting out the
DMO’s approach to managing operational risk and the publication of the external auditor’s
report on a review of ORM policies, procedures and practices (Magnusson et al. 2010).
The DMO’s public disclosure of relevant ORM information can facilitate transparency and the
development of better practice through management discipline. A DMO should have a formal
14 Sound practice in this area suggests that the transparency of DeM operations is enhanced when the results of external audits are made available to the public.
15
disclosure policy approved by the Minister/members of decision making board that addresses
the DMU’s approach for determining what operational risk disclosures it will make and the
internal controls over the disclosure process.
2.5 Drivers of Operational Risk Management
Once ORM is adopted as a discipline in the DMO deriving from legislation, senior management
and government policies and procedures, it provides a conducive environment to develop and
implement an effective ORM framework. There are three elements that should be addressed
first as they drive the design and acceptance of the ORM framework as a whole. These are
governance, culture and awareness, and policies and procedures.
2.5.1 Governance
It is not unusual for the creation of an operational risk function to upset the present governance
framework within the DMU. Until sound governance has been established, the rest of the
framework will be difficult or even impossible to implement successfully (Girling et al. 2010).
There are two governance areas to address:
2.5.1.1 Who should own the operational risk function?
Someone in the DMO must ‘own’ the operational risk function, or be accountable for its
success. When selecting or re-assessing the governance structure for an operational risk
function, senior management must ensure its independence, attach appropriate importance to
the function and demonstrate its relevance to the DMO. Tokaç and Williams (2013) noted that
the ORM framework and associated processes should be maintained by the ORM function that
lies within the middle office of the DMU. An operational risk function can report (a) directly
to the Head DMU, (b) Ministry’s Chief Risk Officer or (c) members of decision making board
or committee. It is worth noting that the operational risk function cannot report into Audit as it
must remain independent from Audit and indeed is itself subject to regular internal audits. Basel
II expressly forbids operational risk to report into Audit for these reasons.
2.5.1.2 What should the operational risk function own?
A business function to effectively report into operational risk will depend on the upward
governance structure, the culture of the DMU, the individual personalities involved and the
current maturity of the operational risk function in terms of its importance, relevance and
independence. Some of the areas that could report into a central operational risk functions are
(a) other operational risk teams/ risk monitoring units/ risk champions or coordinators – each
DeM and support function that have their own operational risk representative who should have
16
regular communication with the central operational risk team; (b) business continuity planning
(BCP) – whose activities fall squarely in two Basel II categories; damage to physical assets and
business disruption and system failures; and (c) information security – tasked with preserving
the confidentiality, availability and integrity of the DMU’s data. Any failure in this last area
can result in a serious operational risk event. Girling et al., (2010) argued it is preferable for
the information security function to sit outside of the information technology (IT) department
as there may be a conflict between the IT department’s needs and the information security
department’s concerns.
2.5.2 Culture and awareness
In the outlook of Girling et al. (2010) and Person Learning Solutions - FRM® (2014), the time
invested in culture and awareness activities is indicative of the likely success of the ORM
framework. This can be achieved through an energized change programme. This designed
framework needs to be promoted and communicated in order for ORM to be adopted and
applied in the DMO. To achieve this, the operational risk function should undertake proactive
communication, careful planning and excellent training before it attempts to implement the
other elements of the framework. The operational risk function, unlike most departments, needs
to work with everyone, as operational risks can arise from a processes, systems, people or
external events. To build that working relationship, a wide communication initiative is needed
at the launch of the operational risk function in the DMU and all other departments that support
the functions of DMO for example, IT department. A working ORM environment is best
demonstrated by Figure 3 which shows ORM culture and awareness relationship.
Good planning involves setting clear goals, realistic milestones and achievable deliverables
that add value. Publishing milestones and then meeting them on time, builds the positive
reputation of the function. Once elements of an ORM framework are operational, they should
be monitored to ensure they maintain their integrity and do not deteriorate over time.15 An
ORM framework should thus continue to evolve with experience and in response to feedback
from participants, partners and sponsors. An effective organization-wide training module16
should be efficiently delivered to all employees to facilitate culture change through educating
15 Poor planning can seriously tarnish the image of the operational risk function as promises are not kept and deadlines slip. Every day spent planning is a solid investment in a successful framework and protects the brand of the function within the firm. 16 The training can be done using the intranet through an online training program. Additional in-person and group training will be needed for practical implementation of the elements of the framework.
17
on the importance of ORM and explaining the role of the operational risk team, coordinators,
specialists or managers.
Source: Person Learning Solutions (2014)
2.5.3 Policies and procedures
The operational risk framework will need supporting policies and procedures against which the
DMU will be audited by the audit department. First, there needs to be an operational risk policy
which might be part of the overall risk management policy on government debt management
(Girling et al., 2010). The policy needs to include; the definition of operational risk; governance
of operational risk including who owns it, what it owns and how issues are escalated; and the
main activities that are managed by the operational risk function.
Policies and procedures should cover the minimum requirements for incident reporting, the
risk and control self-assessment tool, the scenario analysis tool and the key risk indicator tool
(addressed in detail below). They should clearly state the roles and responsibilities of those
involved. These policies will be referred to by audit both internal and external and scrutinized
by participants in the ORM framework.
2.6 Operational Risk Management Framework
The ORM framework is an approach for managing operational risks within an institution.
DMOs should develop such a framework to effectively manage operational risks. The
Figure 3: Operational risk management environment
18
framework should cover the DMO’s risk appetite17 and tolerance for operational risk as
specified through the policies for managing this risk. The risk appetite influences its risk culture
and operating style, and guides resource allocation, aligning the institution, people and
processes in designing the infrastructure necessary to effectively respond to and monitor risks
(COSO, 2004). The framework should also include policies outlining the DMO’s approach to
identifying, assessing, monitoring and mitigating the risks.
Developing an ORM framework can be an evolutionary process as it will take time and effort
to not only identify and understand the risks but also to set the mitigation techniques in an
environment that is constantly changing (Magnusson et.al. 2010). Tokaç and Williams (2013)
stated that there is not one template that fits all organizations. The technique set out here
broadly follows that established by COSO. Although designed for enterprise risk management
(ERM), it is equally applicable just to ORM, and has the advantage of being comprehensive,
sector and territory independent and also sufficiently flexible for extension to a specific area of
interest. The ORM framework as illustrated in Figure 4 can thus be applied incrementally as
techniques improve and DMU staff begin to understand the risks and mitigation techniques.
Source: Magnusson et al. 2010
17 COSO, Enterprise Risk Management – Integrated Framework, Risk appetite is the amount of risk, on a broad level an entity is willing to accept in pursuit of value. Each institution pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.
Figure 4: Operational risk management framework Six-step process
19
The first step involves senior management understanding and clearly outlining to all staff in
the DMU the importance attached to ORM and the need for their participation and involvement.
As stated in the three lines of defence model, each line manager needs to be responsible for
ORM in their own functional area. It is then advisable that a risk champion be appointed from
the middle office to lead and guide the process of ORM across the DMU.
2.6.1 Understand and document business activities
The first step is to understand DeM operations by breaking down the main DeM functions into
activities, processes or systems, each with a stated objective for each business area (Magnusson
et al. 2010). This can be done by convening workshops and brainstorming sessions for each
DeM function to fully understand the activities, processes and systems and identify the key
risks that might impact on DeM operations. DeM operational and procedure manuals can also
be used to understand and document the DeM operations.
2.6.2 Risk identification and assessment
Once the DeM activities, processes and systems have been well articulated and documented,
the risks associated with each is then identified, documented and the rating on the likelihood
and impact of the risk indicated. This is the process of populating the risk register.18 It is
important to involve everyone responsible for DeM operations directly or indirectly as it helps
to develop a risk understanding and culture within the DMU. Engagement workshops,
discussions and brainstorming sessions for each DeM function would effectively address this
process. The risk champion, coordinator or specialist should oversee this process to ensure
common understanding and consistency of approach.
The risk exposures19 then need to be put in priority. Technique used to weigh exposures is to
rate each risk for both likelihood and impact and plot the combinations on a matrix (Tokaç and
Williams, 2013), this is demonstrated in Table 2 below. The darker colours indicate the higher
priority areas for early action. The most serious risk exposures are those of high likelihood and
large impact and will be identified for urgent management action.
18 Risk register is a list of risks associated with a business function processes, activities and systems with the rating on probability and impact for both inherent risk (before mitigating controls) and residual risk (after mitigating controls) and where applicable the mitigating actions taken to address the risks. 19 Exposure is the likelihood of the relevant risk event multiplied by its impact.
20
Table 2: Risk exposure matrix
Impact level of risk Insignificant Minor Moderate Major Catastrophic
Lik
elih
ood
le
vel o
f ri
sk Very Low 1 1 2 2 3
Low 1 2 2 3 4 Medium 2 2 3 4 4 High 2 3 4 4 5 Very High 3 4 4 5 5
Source: Tokaç and Williams (2013)
As noted by Storkey (2011:13), impact can be further analysed under reputational impact,
reporting impact or impact on DeM operations. However, Pandey and Dar Juan (2013) stated,
different stakeholders have different views on the likelihood and impact of a risk, and it is often
difficult to agree on the quantitative measures of these factors. Rather than spend time arguing
about measures and precision, start simple. The most useful output of risk assessment is to gain
consensus on what are your top risks. This scoring process would be best done after mitigating
the risks by first determining the inherent risk rating then identifying the controls and finally
the residual risk rating. The outcome of the assessment will be a high level summary of risks
that will be consistent across the full range of DeM operations, as a way of identifying priorities
for senior management (Magnusson et al. 2010).
2.6.3 Risk response and controls
In step three, the DMU develops risk response and controls by determining risk management
strategies that focus on improving resilience and ensuring mitigation techniques are put in place
for those areas identified as having a combination of high likelihood and large impact. There
is a progression policy from identifying a risk exposure, to deciding the risk response and then
implementing the necessary control or action. Control activities are the policies, procedures,
practices and institutional structures that help ensure residual risk levels are brought to their
target levels. Examples of controls are in Table 3 below.
The DMU should select the most appropriate risk treatment approach for each DeM function
using at least one of the four options (World Bank, 2013); a) avoid the risk, where the
probability of an event occurring is reduced or eliminated, for example, install a back-up power
generator, train staff, have an alternate internet provider or maintain a hot site as part of a BCP
in the event of a disruption; b) transfer the risk, where risk is passed to a third party such as
insurer, for example, insurance against fire, theft or losses, or by outsourcing to specialists;
21
Table 3: Examples of Controls
Prevention
Segregation of duties, dual verification (four eyes principle)
Automation and process standardization and instructions
Access controls, Formal sign-offs
Clearly established authorities, processes for approval and levels of approval and review
Adherence to assigned risk limits or thresholds
Training and appropriate staffing levels to maintain expertise
Sound technology governance and infrastructure
Reconciliations of transactions, payments
Detection
Confirmation matching
Reconciliations and verification of transactions
System monitoring / audit trails
Compliance reviews, security inspections, internal and external audit
Stress testing
Correction / Mitigation
Investigation procedures
Detailed business continuity and disaster recovery plans
Back-up systems and support, archives
Insurance
Source: Tokaç and Williams (2013) but modified by author
c) mitigate or control the risk, by taking measures to reduce the probability of the risk
materialising or reduce the impact of the loss event, for example, implement fraud detection
policies and procedures, put in place escalation procedures, checking mechanisms such as
reconciliations (Magnusson et al. 2010) and d) accept the risk or risk retention, by expressly
retaining risk according to the DMO risk strategy for example, by automating DeM processes
there is acceptance of systems (IT) risks or they are retained simply because they have not been
identified and evaluated (Shimpi, 2001).
The risk champion should then report to senior management on the greatest exposures, the risk
response to mitigate, control or limit the risks and estimate the costs. Response decision should
be made by senior management who assess the cost-risk trade off before making decisions.
There is advantage in combining controls for example, prevention and detection controls or
automated process controls and manual monitoring controls.
22
2.6.4 Implementation process
Once the risk response and controls have been approved, the risk champion can oversee the
implementation of the controls and mitigation techniques and integrate the wider risk
management monitoring policies and procedures for the DMU. This will include a) developing
training programmes for DeM staff and line managers to understand their roles and
responsibilities in compliance with ORM policies and procedures; b) raising awareness with
external parties to cover all activities external to the DMU (such as Central Bank and IT
department of Ministry of Finance) with a view to securing their cooperation in meeting similar
ORM standards as the DMU; c) introducing ORM into service level agreements with third
party providers and contracts with external suppliers; d) developing control tools and
mitigation strategies that are documented in procedures and monitored by DMU risk
monitoring and compliance unit and / or internal audit; e) developing reporting requirements
particularly to senior management of significant incidents and the process of review to ensure
they do not recur and; f) developing, maintaining and annual testing of business continuity and
disaster recovery plan (Magnusson et al. 2010).
2.6.5 Monitoring and reporting performance
The monitoring process assesses the functioning of the ORM policies and procedures.
Monitoring occurs in the normal course of DeM operations, first with line managers and then
through coordination with the risk monitoring unit in the middle office or risk champion. It
includes monitoring the top risks identified and assessed, and the sources of the risks.
It is important to report regularly to senior management on the risk profile, identifying areas of
improvement or decline and priorities for mitigating action. Reporting of incidents is important,
as is the control environment to address the weaknesses (Girling et al., 2010). One course of
action is to identify the line manager responsible for managing and controlling each of the
identified risks and requiring them to report periodically on increase or decline of the risks and
action taken if any. This ensures buy-in from the line managers of the business areas across all
DeM operations since they are involved in the process. To make reporting easier incident
reporting formats should be provided by the ORM unit. This contributes to improved risk
awareness among staff and better understanding of the linkage between risks and controls
(Tokaç and Williams, 2013).
Identifying KRIs (explained in detail below) which are, advance warning signs of risks takes
some effort and should represent the most relevant forecast of DMU risks. The KRIs are
23
therefore monitored as they give DMU advance warning that risk could materialize. The risk
champion or risk monitoring unit will be responsible for collecting the reports together with
preparation of incident reports summarising the key points and main risk drivers and
recommendations for senior management consideration.
2.6.6 Continuous improvement
Operational risk management is developed and improved over time as experience grows and
capacity is built. This involves annually updating the business activities, processes and systems,
continuous risk identification and assessment, improving risk response and control and their
implementation, monitoring and reporting on the ORM processes. Whilst risk awareness takes
time to develop, once established it should be reinforced. Basic training should be given to new
employees with all staff being given periodic refreshers.
The initial setting up of the ORM framework requires some time and attention with several
meetings and workshops. However, staff become more supportive as their risk awareness
increases with time and the number of incidents falls. Full and visible support of senior
management is also relevant.
2.7 Managing and Integrating IT Risks into the Operational Risk Framework
Information technology (IT) and related systems are one source of operational risk. The process
of managing IT risk follows the same six-steps of operational risk management processes
described above. Emphasis on IT (systems) risks has increased especially on the need to
mitigate cyber-attacks and unauthorized activity (fraud).
Information security and data quality management are important for proper debt recording and
ORM. According to World Bank’s (2015) DEMPA, DPI 12, effective debt administration and
data security includes: availability and quality of documented procedures for the processing of
debt-related payments; availability and quality of documented procedures for debt and
transaction data recording and validation, as well as storage of agreements and debt
administration records; availability and quality of documented procedures for controlling
access to the central government’s debt data recording and management system and audit trial;
and frequency and off-site, secure storage of debt recording and management system backups.
Pandey and Dar Juan (2013) identified a typical top list of IT operational risks as system
outages, loss of data or data integrity and unauthorized activity such as fraud. Once the IT risks
have been identified by asking users of automated systems, the assessment is done by
24
determining the likelihood of occurrence and potential impact if risk materializes. The IT risks
are then monitored and reported through the KRIs such as, number of change requests, outages
or duration of outages. When the IT risks materialize, each incident must be managed in the
interests of damage control (Pandey and Dar Juan, 2013).
2.8 Building Blocks of an Operational Risk Management Framework
Once the ORM framework, principles and drivers are in place, the following tools or techniques
can be used to effectively operationalize the framework.
2.8.1 Incident reporting
According to Girling et al., 2010, one key element of ORM is coordinating collection and
reporting of risk events (referred to as “incident reporting”) and tracking how mitigating actions
are being implemented. This provides a valuable insight into the current operational risk
exposure of the DMU. This focus on incident reporting enables the DMUs to better identify
control weaknesses and risk mitigation activities, and to evaluate risk events and outcomes as
an integral task of the ORM unit. The incident report should detail all recognized risk events
in the DMU’s functional areas, together with remedial measures implemented or
recommended. The ORM unit is best placed to develop a format for standardized reporting of
the incidents – see examples in Table 4 below – from which they would consolidate for the
entire DMU to drive decision making by senior management.
Table 4: Examples of Incidences
Internal fraud – unauthorised activities, theft and fraud through collusion of employees
External fraud – theft, systems security breach through hacking or theft of information
Inappropriate business practices – fiduciary breaches, guidelines violations
Damage to physical assets – natural disaster losses, terrorism, vandalism
Business disruption and system failures: hardware or software failures, telecommunications and utility outage or disruptions, delays in system availability or system errors
Poor execution and process management – miscommunication, data entry, maintenance or loading errors, missed deadlines, accounting errors, failed mandatory reporting obligations, missing legal documents, inaccurate reports, process delays, inadequate staff capacity, outsourcing inefficiencies or vendor disputes
Source: Girling et al., 2010
25
2.8.2 Risk and control self-assessments (RCSA)
Risk and control self-assessment is an ORM framework tool used by a functional unit to
articulate its risks. A well designed RCSA tool provides insight into risks that exist in the DMO
that may or may not occur. RCSA is to be conducted by the DMO by developing a matrix that
identifies the business activities, their objectives, risks expected, reasons or source of the risk,
existing controls, scoring of risks on the likelihood and impact of the risks with the existing
controls and further suggestions or recommendations for improvement if any.
The subjective nature of the RCSA presents both its biggest advantages and its strongest
challenges. The advantages are that it embeds the culture of ORM and each functional unit
takes ownership of its own risks and controls and therefore can then prioritise mitigating
actions and escalate risks that require higher authority for remediation (Girling et al., 2010).
The challenge on the other hand is that a subjective view can be considered as less accurate
than an independent external view and there may be some scepticism over the scoring. A well
designed RCSA tool can produce accurate and transparent operational risk reporting that can
be used effectively in the DMU.
RCSAs should be included in the audit cycle, with each functional unit audited as to its
participation in the RCSA programme and the accuracy of its scoring. For example, incidents
reported should be compared to RCSA scores as a check. If incidences are high in the area that
has been scored as low in the RCSA, that would raise a serious question as to the quality of the
self-assessment. The risk exposure matrix in Table 1 can be used for scoring the likelihood and
impact of an event occurring or scoring the non-financial impacts such as reputational damages,
legal or regulatory exposures.
The RCSA can be done through questionnaires, workshops or a hybrid of the two. To ensure a
successful RCSA tool, it is prudent to interview participants’ beforehand, review available
background information from other functions, review past RCSAs if any and review incident
reports. In addition, carefully select participants (ideally some of whom would be trained in the
RCSA method beforehand), document results, score appropriately, identify mitigating actions,
identify themes and implement appropriate technology (Girling et al., 2010).
26
2.8.3 Scenario analysis
Scenario analysis20 has become an important element in ORM and the methods used have been
evolving rapidly in recent years. Scenario analysis is used to evaluate the DMU’s exposure to
high-severity events. Unlike RCSA analysis, scenario analysis focuses on the “fat-tail” events
or rare, catastrophic events. These events can put the DMU at serious risk. Scenario analysis is
used to derive reasoned assessments of plausible severe losses. The assessments are then used
to explore ‘what-if’ cases that may be beyond the current experience of the DMU. External
data play a key role in scenario analysis as they provide insight into what has already occurred
in other DMUs within the region or with similar economic structures.
According to Girling et al., 2010, scenario analysis can be conducted through a workshop
approach or by conducting interviews. It is important to ensure that scenario analysis
workshops and interviews are facilitated by someone who is knowledgeable on the subject
matter of the scenarios under discussion. While designed to produce fat-tail estimates, scenario
analysis is often also responsible for the identification of significant mitigation activities that
should be undertaken in order to lessen the risks identified (Girling et al., 2010).
Some overlap can occur between RCSA tool and scenario analysis. The DMU can combine the
two elements of the operational risk framework and at the end of the RCSA workshop ask the
participants to consider the same risks in an environment where all controls fail or extreme
conditions occur. Most operational risks that have a high impact occur as a result of multiple
control failings and the RCSA process can help with the thought process behind imagining
such events. In this way, participants can extrapolate from known and relatively well controlled
risks to extreme but plausible fat-tail events (Ernst & Young, 2013), demonstrated in Figure 5.
20 Basel II section 675, “A bank must use scenario analysis in conjunction with external data to evaluate its exposure to high-severity events. This approach draws on the knowledge of experienced business managers and risk management experts to derive reasoned assessments of plausible severe losses. For instance, these expert assessments could be expressed as parameters of an assumed statistical loss distribution. In addition, scenario analysis should be used to assess the impact of deviations from the correlation assumptions embedded in the bank’s operational risk measurement framework, in particular, to evaluate potential losses arising from multiple simultaneous operational risk loss events. Over time, such assessments need to be validated and re-assessed through comparison to actual loss experience to ensure their reasonableness.”
27
Source: Ernst & Young, March 2013
2.8.4 Key risk indicators
Key Risk Indicators21 (KRIs) are used in the ORM framework to keep a finger on the pulse of
the changing risk environment. External risk factors, internal risk factors and the control
environment can be monitored using KRIs. The challenge with KRIs is to identify a suitable
metric that is truly measuring risk levels. Most metrics only count something and should not
be confused with a true KRI (Girling et al., 2010).
For example, the number of inaccurate debt data entries in a given period does not alone
indicate rising or falling risk levels unless it is combined with other related metrics, such as
volume. So an indicator that measures the percentage of inaccurate debt data entries in a given
period to the total volume of debt data entries is a more helpful indicator and might be a true
KRI. Other examples are in Table 5 below.
There are different types of indicators and each has its own strengths and weaknesses and can
be used effectively in the right place. Firstly, key performance indicators (KPIs) which measure
how well something is performing or how efficient it is. For example, the average time taken
to resolve an IT help desk request. Secondly, key control indicators (KCIs) which measure how
effectively a control is working. For example, the number of viruses caught in a virus protection
screen is a KCI. The number of viruses that got past the virus protection screen is also a KCI.
21 KRIs potentially cover people, compliance, IT and Infrastructure, business continuity and process management.
Figure 5: Loss severity distribution
28
The indicators selected by the DMU to monitor its risk may be KPIs or KCIs or combinations
of the two.
Table 5: Examples of key risk indicators
Basic indicator Description Possible parameters People KRI examples - Staff turnover Educational and professional levels
A simple metric that tracks #22 of staff leaving and joining Highest level of education for each employee and professional exams taken and passed
# of leavers; # of joiners High school, Bachelors, MA, Ph.D. FRM, CPAs, CFA etc.
Compliance KRI examples -Number of open compliance issues
Remediating actions are often required by compliance departments
# of actions open, # of actions late, # of high priority actions open
IT and infrastructure KRIs – Network downtime # of security breaches
Measures resiliency of the network # of virus/hacker attacks may indicate stability of the systems and security confidence
Days/hours/minutes down; by process/departments/system etc. # total attacks; # of attacks caught at firewall; # of attacks penetrating security
Business continuity KRI – # of completed continuity plans
Tracks how many plans are in place, but does not evaluate their quality. Quality may be scored by BCP team
# of plans; # of plans scoring as ‘high’; date since last update plan
Source: Girling et al., 2010, The GARP Risk Series: Operational Risk Management, p85-87
It is helpful to complete the RCSA tool before developing KRIs so that the search for the most
appropriate indicators can be narrowed down to only those metrics that are relevant to the risks
that have been identified in the RCSA. Each KRI must be monitored and the minimum
standards for the KRIs set by the risk management section. For each KRI certain criteria need
to be set, that is; name of the indicator, risk that is being monitored, method of calculation,
owner of the KRI, red flag threshold, or red, amber, green thresholds and reporting period. The
biggest challenge with KRIs is finding the right one. Regional benchmarking by the DMO is
important to compare its KRIs with its peers’. This will offer the DMO a sense of security
about its indicators and their stability; and an indication of whether the controls being
monitored are operating above or below the regional standards.
2.8.5 Effective reporting
An ORM framework is designed to identify, assess, monitor, control and mitigate operational
risks. The implementation of the ORM framework six-step process together with effective
reporting will develop an effective environment in changing the risk culture of the DMU.
Reporting of operational risks is key to the success of operational risk management.
An ORM unit or risk champion in the DMU should be looking to report on: incidents within a
given time period, remedial action being taken, KRIs, results of RCSA and results of scenario
22 # represents number
29
analysis, and whether risk exposures have changed. In addition, the reporting should also focus
on addressing; where is the risk, what action needs to be taken, what is under control and what
is not and whether the legislative requirements in relation to DeM are being met.
Effective reporting is then presented in a way that demonstrates the operational risk managers’
responsibilities. Once the data on operational risks in DeM have been gathered, the operational
risk managers should also; analyse the raw data, analyse trends and predictors through the KRIs
(such as staff turnover, capacity levels, systems usage and capacity etc.), follow news articles
(such as security awareness that would influence and affect business continuity or data
security), present opinions and recommend action and mitigating strategies to senior
management for better decision making.
2.9 Business Continuity and Disaster Recovery Planning (BCP/DRP)
A Business continuity plan (BCP) mitigates some but not all risks. Operational risk
management is about all risks that impact on business objectives. Business continuity
management (BCM) or the BCP is the development, implementation and maintenance of
policies, frameworks and programmes to assist DMU to manage in the event of a business
disruption as well as build DMU resilience (Storkey, 2011). Resilience comes from tackling
the likelihood as well as the consequences of disruptive events. A BCP assists in preventing,
preparing for, responding to, managing and recovering from the impacts of an incident or
disruptive event.
According to Storkey (2011), a BCP should address the subset of operational risks where
environmental factors or poor operational controls raise the potential for loss of or damage to
DMU operations (including people, information, infrastructure and premises). With the support
of all staff, the DMU should maintain a BCP/DRP that the government and external
counterparties will view as sound practice (IMF, 2011). Disaster recovery is the process of
regaining access to the data, hardware, and software and having the minimum number of staff
necessary to resume critical business operations after a natural or human induced disaster. The
DRP concentrates on improving resilience and ensuring mitigation techniques are put in place
for those areas identified as having a combination of very high/high probability and
catastrophic/major impact as seen in Table 2.
2.9.1 Debt management policy for business continuity planning
Firstly, under its policy for BCP, the DMO should perform a business impact analysis (BIA)
and develop mitigation strategies which will ensure continuity of its operations and IT systems
30
in the event that the existing environment is unavailable. Secondly, it should develop and
maintain a comprehensive BCP/DRP to ensure that essential DMU activities are recoverable.
Thirdly, a BCP/DRP should be developed in accordance with international standards such as
BCM standards BS-25999 or International Standards Organization ISO-27031. Finally, the
status of BCP/DRP should be reported annually to the DMO senior management.
The BCP/DRP for the DMO should be an integral part of the ORM framework and developed
to ensure that the following objectives are met: the government’s interests are protected in
terms of reputation, reporting and impact on DMU operations; the DMO meets all statutory,
contractual and market obligations in relation to debt management (signed agreements,
payments, refinancing etc.); reestablishment of a disrupted critical activity within the
designated recovery period using the DRP; and regular update of DeM units’ BCP/DRP with
ongoing staff training and testing.
2.9.2 Developing BCP/DRP
In the eyes of Storkey (2011), the similar six-step process of the ORM framework is used to
develop the BCP/DRP. This includes: (a) documenting business activities and critical processes
and systems; (b) undertaking BIA to assess probability and impact; (c) developing BCP/DRP
(including those of third parties); (d) implementing or updating the BCP/DRP; (e) training to
embed the BCP into the day-to-day operations of the DMU and finally (f) regular (annual)
testing and updating. According to World Bank’s (2015) DeMPA, for proper BCP of the DMO,
there needs to be documented procedures and manuals on all DeM operations, processes and
systems which can be reasonably relied on. Secondly, proper and secure storage and filing of
the documented manuals, signed loan agreements and availability of DeM data. Thirdly, secure
storage of the data with daily, weekly and frequent back-ups of the information in the DeM
systems and stored off-site. The BCP/DRP should therefore be well written and tested.
2.10 Empirical Literature
According to MEFMI In-Country Workshop (2015), the MEFMI countries have large gaps in
the implementation of ORM principles in their DeM functions. The DeMPA DPIs for ORM
are debt administration and data security and segregation of duties, staff capacity and business
continuity. These gaps include: inadequate segregation of duties; inadequate staff capacity and
human resource management; lack of establishing an ORM plan including BCP/DRP
arrangements; limited availability and quality of documented procedures for processing debt-
related payments, storage of agreements, controlling access to government’s debt data
31
recording and management systems and audit trail; and lack of frequent off-site, secure storage
of debt recording and management system backups. Figure 6 shows the DeMPA results
performed on the MEFMI member countries between 2010 and 2014.
Source: MEFMI In-Country Workshop (2015), Public Debt Management Performance Assessment (DeMPA).
Magnusson et al. (2010), found the experience with undertaking the DeMPA assessments
across 27 developing countries (as at end December 2009) showed that most of these countries
did not meet the minimum requirements in the ORM areas. Only 22 percent of the countries
met the minimum requirements for DPI 12 - Debt Administration and Data Security while
only 11 percent met the minimum effectiveness requirements on DPI 13 – Segregation of
duties, Staff Capacity and Business Continuity.
0.33
0.75
0.42 0.42
0.08
0.58
0.83
0.75
0.00
0.25 0.25
0.33
0.25
0.67
0.42
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
Pro
por
tion
of
ME
FM
I C
oun
trie
s w
ith
p
erfo
rman
ce o
f C
or
abov
e
Debt Management Performance Indicators
Figure 6: Assessment of DeMPA Results in MEFMI Region with performance of C or above
32
3.0 RESEARCH DESIGN AND METHODOLOGY
3.1 Research Hypothesis
The purpose of this study was to establish the extent of implementation and usage of ORM
principles, framework and adequate business continuity methodologies in DMUs of MEFMI
member countries. The aim was to provide practical policy recommendations on best practice
of ORM to manage operational risks better and more effectively.
From the literature, it was clear that appropriate and sound ORM principles and framework are
key to optimizing ORM of government debt in MEFMI region through mitigation of
operational risks. The study was also prompted by reported concerns of, a) inadequate
operational risk governance practices and risk management environments in DMUs, negatively
affecting government DeM, b) limited level of engagement of both internal and external audit
of the DMU operations of the MEFMI member countries, and c) weak ORM framework,
limited ORM tools, and poor BCP techniques within the MEFMI member countries.
3.2 Research Design
The study used both exploratory and descriptive designs. The use of exploratory design was
appropriate to establish how and to what extent the ORM principles and framework had been
implemented in MEFMI countries. It also explored the deficiencies in sound operational risk
governance practices, appropriate risk culture and awareness, and adequate policies and
procedures to supporting ORM. Descriptive research was considered appropriate to this study
as it would determine and report the way things are since the study involved fact finding and
enquiries of different kind to describe the state of affairs (Cooper and Schindler, 2003).
3.3 Study Population
The population consisted of all the fourteen MEFMI member countries’ debt management
offices/departments/units. Some of these were domiciled at the Ministry of Finance (National
Treasury) and some at the Central/Reserve Banks.
3.4 Research Methodology
The study was based mainly on primary data. However, where secondary data on the MEFMI
member countries DeMPA reports between 2010 and 2014 were available, this was utilised.
The primary research was achieved using a structured questionnaire, emails and follow-up
telephone conversations.
33
3.5 Design of Research Instrument and Data Collection
The questionnaire was designed from a comprehensive review of existing literature. It was
carefully designed to avoid some of the challenges associated with questionnaires.
Considerable attention was given to the organization, format and content of the questions in
order to improve response rate. This included: clearly worded questions to allow for ease in
answering; use of split question technique also known as unfolding technique to minimize
information loss. The questionnaires were both closed and open-ended so as to allow the
respondents to express their views without undue limitation. The questionnaires were
distributed through emails.
3.6 Data Analysis
Data collected in the study were analysed using frequency tables and graphs, and descriptive
statistics. Presentation is given in form of graphs, tables, charts as well as statistical figures.
34
4.0 DATA ANALYSIS, PRESENTATION AND FINDINGS
4.1 Overview
This chapter provides general information of the study population domiciled at either the
Ministry of Finance or the Central/Reserve Bank. The study went further to incorporate one
other country (Mauritius) which participates in some of the MEFMI programmes.
All the fourteen MEFMI member countries and two other countries within the region
(Mauritius and Seychelles) were sampled. An overall country response rate of 81 percent of
the targeted sample was realized, that is, thirteen out of the sixteen countries. The aggregate
response rate which incorporated two responses from some countries, from the Ministry of
Finance and Central Bank, was 77 percent of the targeted sample. Data analysis was done using
the 17 filled and returned questionnaires. This was deemed adequate and sufficient for purposes
of data analysis.
As shown in Table 13 (this and Tables 14 and 15 can be found in Appendix 1), four countries
provided responses from both the Ministry and the Central Bank where key functions of debt
management are carried out by both offices. The respondents were quite cooperative as
reflected in the response rate above. The data provided were taken to be a true representation
of ORM practice in government debt within the MEFMI region due to the quality of
respondents as shown in Table 14.
Of the 17 responses, 76.5 percent work in the DMU, while 23.5 percent do not - see Figure 7.
However, those who do not work in the DMU stated that they performed some of the DeM
functions on a delegated role from their different departments such as statistics and financial
markets.
76.5% (13)
23.5% (4)
YesNo
Figure 7: Placement of respondents in Debt Management Office (DMO)
35
4.2 Structure and Performance of the Debt Management Functions
4.2.1 Structure of the debt management functions
According to Wheeler (2004), sound governance considerations suggest that DeM functions
should be consolidated in one location and organised along functional lines. Functional
responsibilities for managing transactions are divided among offices within the DMO, and
procedures are established to ensure internal controls and accountability. Usually, this involves
the creation of front, middle and back offices separately reporting to the head of the DMO.
In order to determine the structure of the DeM function within the MEFMI region, respondents
were asked to state if the structure of the DMO was divided into: a) front office – resource
mobilization; b) middle office – strategy and risk management; c) back office – debt records,
transactions and payment processing. The results in Figure 8 show that about 41 percent of the
respondents did not have this structure while 12 percent opted not to answer the question. Only
about 47 percent had this structure in place.
Some of the explanations given for existence of different structures were: there is no set DMO
but the functions are performed from different offices and departments; DMO is divided into
middle office and back office only; and DMO is structured according to product line (such as
domestic debt and external debt). In some countries it is likely that limited staff numbers made
it difficult to create three separate functional units. Table 15 shows the results as distributed
within the MEFMI region.
4741
12
05
101520253035404550
Yes No Skipped
Response distribution in
%
Responses
Figure 8: Structure of DMO is divided into: Front office; Middle office; & Back office
36
4.2.2 Principal debt management functions performance within MEFMI region
The principal DeM functions are domestic securities borrowing, external securities borrowing,
external loans and credit sourcing, strategy and risk management, and debt records, transaction
and payment processing. Figure 9 shows that domestic securities borrowing is mainly
performed by the Central Banks at 88 percent of the respondents. The ministry DMO on the
other hand mainly performs all the other functions as shown by more than 70 percent of total
respondents.
The Central Banks also substantially contribute to debt records, transaction and payment
processing function as shown by 53 percent of the responses. However, 29 percent of the
respondents did not provide an answer to the external securities borrowing function. Main
reason given for this was that there is no external securities’ borrowing. There was no DeM
function carried out by any other body other than the Central Bank and the Ministry DMO.
Where the functions are carried out by the Central Banks, Table 6 shows that 53 percent have
a signed agency or service level agreement between the Central Bank and the government
DMO. However, 29 percent did not have a signed agreement whereas 18 percent were not sure.
Table 6: Presence of signed agreements within the MEFMI region
Signed agency or service level agreement Response
Count Response Rate in %
Yes 9 53 No 5 29 Not sure 3 18
0 0 0 0 0
0.88
0.18
0.00
0.18
0.530.47
0.71
0.940.88 0.88
0.06
0.29
0.060.12 0.12
0.000.100.200.300.400.500.600.700.800.901.00
Domesticsecuritiesborrowing
Externalsecuritiesborrowing
External loansand credit
Strategy andRisk
Management
Debt records,transaction and
paymentprocessing
Per
form
ance
Lev
el
Principal Functions of Debt Management Office
Other body
Central Bank
MinistryDMOSkipped
Figure 9: Performance of principal debt management functions
37
4.3 Implementation of ORM in the DMOs
4.3.1 DeMPA debt performance indicators for ORM
Of the thirteen countries that responded to the study as shown in Table 13, ten countries
confirmed that they had undertaken a DeMPA while three stated they had not. All the ten are
MEFMI countries which shows at least 70 percent of the total MEFMI countries had taken a
step towards assessing their DeM performance.
From the study, only six countries provided the scores of the DPIs for ORM and therefore the
available secondary data on DeMPA by MEFMI countries were utilised as shown in Figure 6.
Reasons given from both the respondents and secondary data for low performance in DeMPA
ORM debt performance indicators are presented in Table 7.
Table 7: Reasons for low performance in DeMPA DPIs of ORM
Debt performance indicator (DPI)
% of MEFMI countries with a score of at least C
Reasons for low performance
DPI 12 – Debt administration and data security
33%
Lack of draft procedures for processing debt Absence of secure storage of loan agreements,
administration records Absence of documented procedures for data
recording, validation and storage of debt records, processing payments as well as for controlling access to debt records
Lack of documented procedures and policy on systems access
DPI 13 – Segregation of duties, staff capacity and business continuity
25%
Lack of consolidation of debt management functions in one location along functional lines (the debt management functions are performed across different departments)
Front, middle and back office functions being performed in one section/unit hence failure in segregation of duties, for example, middle office involved in negotiations and approving payments.
Absence of a risk champion or risk monitoring or compliance unit in the middle office of the DMOs.
Absence of written business continuity and disaster recovery plans
4.3.2 Practice of operational risk management
Figure 10 shows responses on the practice of both ORM and general risk management within
the DMOs of the various MEFMI countries. Eight (47 percent) of the total respondents practice
38
some form of ORM whereas 35 percent do not while three respondents (18 percent) that is,
Zimbabwe, Tanzania (Central Bank) and Malawi (Central Bank) opted not to answer.
Sixteen respondents provided a reply on the practice of general risk management but one did
not namely Malawi - Central Bank. 76 percent of the total respondents carry out general risk
management while 18 percent do not - see Table 8.
Table 8: Risk management practice and performance in the MEFMI region countries
Risk management practice
Performance of Risk Management
MEFMI Region Countries
Overall Risk Management
Yes
Mozambique, Kenya (Ministry), Uganda (Ministry and Central Bank), Zimbabwe, Botswana, Namibia (Ministry and Central Bank), Tanzania (Ministry and Central Bank), Zambia (Ministry) and Mauritius
No Lesotho, Swaziland, Kenya (Central Bank) Skipped Malawi (Central Bank)
Operational Risk Management
Yes Mozambique, Kenya (Ministry and Central Bank), Uganda (Ministry and Central Bank), Namibia (Ministry), Botswana and Mauritius
No Lesotho, Tanzania (Ministry), Swaziland, Zambia (Ministry), Rwanda and Namibia (Central Bank)
Skipped Malawi (Central Bank), Tanzania (Central Bank) and Zimbabwe (Ministry)
The respondents went further to provide information on persons or offices in charge of
conducting overall risk management or ORM as shown in Figure 11; these are, the middle
13 (76%)
8 (47%)
3 (18%)
6 (35%)
1 (6%)
3 (18%)
0
2
4
6
8
10
12
14
Risk Management (market, credit &refinancing risk)
Operational risk management
ME
FM
I R
egio
n C
oun
trie
s
Yes
No
Skipped
Figure 10: Operational risk and general risk management practice
39
office, line managers, ORM unit (for those who practice ORM) and others which included cash
flow unit, financial adviser and back office.
Of the twelve responses received, none of the respondents carry out overall risk management
and ORM specifically using risk champions or coordinators and/or risk monitoring unit. It was
commendable that 50 percent of the respondents have placed the responsibility of performing
risk management within the middle office. These are Uganda (both Ministry and Central Bank),
Zimbabwe (Ministry), Mauritius, Kenya (Ministry) and Tanzania (Ministry).
One respondent Kenya (Central Bank) had the ORM unit responsible for its ORM. The unit is
a section within financial markets department. However, five respondents skipped answering
the question, three were because they do not perform ORM namely Lesotho, Swaziland and
Rwanda. The other two who skipped had not answered the previous question either, that is,
Malawi (Central Bank) and Tanzania (Central Bank).
4.4 Existence of and Constraints to Sound Operational Risk Governance Practices in the DMOs
The questionnaires issued provided a number of questions that respondents would fill to give
an indication on the practice of and gaps in sound operational risk governance practices.
50%
0%
33%
8%0%
25%
0
0.1
0.2
0.3
0.4
0.5
0.6
Mid
dle
offi
ce
Ris
k ch
ampi
on/
spec
iali
st/ c
oord
inat
or
Lin
e m
anag
er(f
unct
iona
l/bu
sine
ss a
rea
man
ager
)
Ope
ratio
nal r
isk
man
agem
ent u
nit
Ris
k M
onit
orin
g U
nit
Oth
er, S
peci
fy
Figure 11: Responsibility for overall risk management and operational risk management
40
4.4.1 MEFMI region’s familiarity with ORM
The findings as seen in Figure 12 show that around 70.6 percent of the MEFMI region countries
are familiar with ORM, however 29.4 percent were either not familiar, not sure or skipped the
question. The majority are familiar with ORM but more effort is required in building capacity
of those who are not, which represents respondents from four MEFMI countries namely,
Rwanda, Mozambique, Malawi and Tanzania.
4.4.2 Practice of sound operational risk governance in the DMOs
Sound operational risk governance is the first principle of ORM as identified in the literature
review. This principle was further broken-down into four statements as shown in Table 16. The
various aspects of the practice of sound operational risk governance are shown in Figure 13 as
1. a), b), c), and d) and demonstrated in Table 16.
Eight respondents (47 percent) agree that their line managers in DeM are responsible for
identifying and managing risks within their functions. However, five respondents (29 percent)
did not know or disagreed with this and a further four respondents (24 percent) skipped the
question. On the other hand, eight respondents stated there is no independent ORM function,
while two were neutral and four skipped. Only three (18 percent) respondents agreed that they
had an independent ORM function. Nine (53 percent) respondents stated there was an
independent review by internal or external audit of the DeM functions while the rest were either
neutral, disagreed, strongly disagreed or skipped the question. 29 percent of the respondents
agreed that there is a strong risk culture and good communication on operational risk
management. The other 71 percent were either neutral, disagreed, strongly disagreed or skipped
the question.
70.6%
5.9%
5.9%
17.6%
Yes
No
Not Sure
Skippedquestion
Figure 12: Familiarity with operational risk management
41
The findings show that in the majority of countries there are few sound operational risk
governance practices with the main constraints being absence of an independent ORM function
(88 percent) and absence of a strong risk culture or communication on ORM (71 percent).
4.5 Practice and Constraints of Appropriate Risk Management Environment in the
DMOs
Appropriate risk management environment is the second principle of ORM. This principle was
expounded into seven statements and findings on their practices and constraints analysed as
shown in the second part of Figure 13 and Table 16.
Seven respondents (41 percent) agree that the senior management are aware of the major
operational risk exposures while the rest (59 percent), were either neutral, disagreed or skipped
answering. Only six respondents (35 percent) agreed that senior management safeguard
independent audit arrangements. The other 65 percent skipped the question, were neutral and
disagreed with this statement. Five respondents (29 percent) agreed that the Minister or Head
DMO had taken a lead in establishing a strong risk culture, but the rest 71 percent were neutral
or disagreed with this narrative.
In relation to comprehensive and regular internal audit of the ORM framework being done by
independent, trained and competent staff, 76 percent disagreed, were neutral or skipped
providing an answer. More than 58 percent were either neutral, skipped answering or disagreed
0
1
2
3
4
5
6
7
8
1. a) b) c) d) 2. a) b) c) d) e) f) g)
ME
FM
I R
egio
n C
oun
trie
s
Operational Risk Management Principles
Strongly Agree Agree Neutral Disagree Strongly Disagree Skipped
Figure 13: Implementation and development of ORM principles in the respondent countries DMOs
42
that there was clarity of roles, responsibilities and objectives of government institutions
responsible for DeM and ORM; an annual report prepared to inform the legislature and the
public on the outcomes of DeM strategy and operations; and annual external audits done of
DeM activities, information technology and risk control procedures.
4.6 Design and Acceptance of ORM Framework in the DMO
From the literature review, design and acceptance of an ORM framework in the DMO are
influenced by three drivers of ORM which are governance, culture and awareness and policies
and procedures. The questionnaires provided a number of questions determining the extent to
which the ORM drivers had influenced the design and acceptance of ORM framework.
Part 1 of Table 17 and Figure 14 show that about 41 percent of the respondents agree that the
ORM function is independent, important and relevant to the DMO and that the ORM function
lies within the middle office with other risk management functions. However, the other 59
percent were neutral, skipped the question or disagreed with these two statements.
It is evident that about 40 percent of the MEFMI region countries have implemented some
aspects of ORM and it lies within the middle office which is a good practice. However, the rest
have very little to no form of ORM practice. More than 70 percent of the respondents did not
know, disagreed or skipped the questions/statements addressing the different aspects of
governance, culture and awareness and policies and procedures that influence design and
acceptance of ORM framework in the DMO.
A further analysis on the data was made, using mean scores as represented in Table 17 ranked
on a five point Likert scale,23 with 1 taken to represent strongly agree and 5 taken as strongly
disagree. The skipped responses were not used in the further analysis. It showed that statement
1 a) and b) had a mean of 2.7 and 2.8 with a standard deviation24 of 0.9 and 1.0 respectively.
The results again show that about 41 percent of the respondents had the ORM function
independent, relevant to DeM office and placed within the middle office. A majority of the
respondents mostly agreed or were neutral about these two statements. The responses were
23 Likert scales are survey questions that offer a range of answer options — from one extreme attitude to another, like “extremely likely” to “not at all likely.” Typically, they include a moderate or neutral midpoint. This scale asks the person rating, to agree or disagree with statements that express either favourable or unfavourable attitudes toward the object. The strength of attitude is reflected in the assigned score and individual scores may be totalled for an overall attitude measure. 24 Standard deviation is a descriptive statistic. It is a measure of dispersion that shows how the different units vary. It is the most frequently used measure of the spread or variability of a set of data.
43
close together around the standard deviation of one; hence the responses of all countries did
not significantly vary from the mean.
However, the other statements in relation to governance, culture and awareness and policies
and procedures had mean scores above 3 showing that the majority of the respondents did not
practise the ORM drivers. The standard deviations were mostly clustered between 0.86 and
1.15 showing the responses clustered together; for driver 1 d) the standard deviation was even
lower at 0.64. The results thus show that a majority of the ORM drivers are not implemented
in the MEFMI region.
4.7 Constraints to Implementation of ORM Drivers in the DMOs
Twelve respondents (70 percent) provided feedback to the question on constraints to
implementation of ORM drivers. The other five from Mozambique, Malawi, Tanzania
(Ministry and Central Bank) and Uganda (Central Bank) skipped the question.
As represented in Figure 15, the majority of the respondents (67 percent) identified limited or
inadequate resources and lack of knowledge and understanding of the ORM drivers as
constraints. The main causes of failing to implement ORM drivers in the DMOs being
inadequate staffing and lack of capacity and skills. About 50 percent stated that inadequate
0
1
2
3
4
5
6
7
8
1. a) b) c) d) e) f) g) 2. a) b) c) 3. a) b)
ME
FM
I R
egio
n C
oun
trie
s
Operational Risk Management Drivers
Strongly Agree Agree Neutral Disagree Strongly Disagree Skipped
Figure 14: ORM drivers influence to the design and acceptance of ORM framework in the DMO
44
policies and procedures on ORM were also a constraint. At the same time five other constraints
were also identified by the MEFMI region countries as shown in Figure 15.
4.8 Overall Implementation of ORM Framework in the MEFMI Region DMOs
The findings in Table 9 and Figure 16 show that 35 percent of respondents have an ORM
framework in their DMOs. However, the majority at 65 percent do not have an ORM
framework or skipped answering the question all-together. The ways in which the countries
have implemented an ORM framework include, incorporating it in the overall risk management
framework, having departmental risk registers and having a detailed operations manual that
acts as a guide. This was the case for Uganda and Kenya Central Banks.
Table 9: Response on implementation of ORM framework in the DMOs
Response Country
Yes Kenya (Ministry and Central Bank), Uganda (Central Bank), Namibia (Ministry and Central Bank) and Mauritius
No Rwanda, Botswana, Zambia, Zimbabwe, Tanzania (Central Bank) and Uganda (Ministry)
Skipped Mozambique, Malawi (Central Bank), Tanzania (Ministry), Swaziland and Lesotho
67%
67%
17%
25%
50%
33%
25%
33%
0% 20% 40% 60% 80%
Limited / inadequate resources
Lack of knowledge/understanding
Poor risk culture and awareness
Lack of involvement andparticipation of all staff
Inadequate policies and procedureson operational risk management
Poor sound operational riskgovernance practices
Inadequate managerial structure
Inadequate policies and structureson internal and external audit of…
Figure 15: Constraints to implementation of ORM drivers in the MEFMI Region Countries DMOs
45
4.9 Implementation of the Six-step Process of ORM Framework in the DMOs
Table 18 and Figure 17 show how the six-step process of ORM framework has been
implemented in the MEFMI region.
4.9.1 Understand and document business activities
From the findings as shown in Table 18 and figure 18, five respondents (29 percent) skipped
responding to this question entirely since they do not practice ORM in their DeM offices while
one did not respond to some parts of the question. Those who skipped were from Swaziland,
Tanzania (Ministry), Malawi (Central Bank), Lesotho and Mozambique. Botswana responded
partially. Seven respondents (41 percent) agreed that the DeM operations are understood and
documented into activities and processes. However, 30 percent were either neutral or disagreed.
35%
35%
29%0%
Yes
No
Skipped
Not Sure
0
1
2
3
4
5
6
7
8
9
1. a) b) 2. a) b) 3. a) b.i) ii) iii) iv)
4. a) b) c) d) 5. a) b) 6. a) b)
ME
FM
IR
egio
nC
oun
trie
s
Operational Risk Management Framework six-step process
Strongly Agree Agree Neutral Disagree Strongly Disagree Skipped
Figure 16: Implementation of an ORM Framework in the DMOs
Figure 17: Implementation of the six-step process of ORM framework in the DMOs
46
Seven respondents (41 percent) agreed that their DeM functions had stated objectives with
identified key risks. Four respondents (24 percent) were however neutral or disagreed while
the other six (35 percent) did not respond.
4.9.2 Risk identification and assessment
Figure 19 shows a majority at more than 60 percent of the MEFMI countries have not
implemented step two of the ORM framework. More than eleven respondents were either
neutral, disagreed or did not respond to the question. Only four respondents (24 percent) agreed
there was rating of risks identified while six respondents (35 percent) agreed that there were
engagement discussions with staff to develop risk understanding and culture in the DMO.
4.9.3 Risk response and controls
Table 18 shows 36 percent of the respondents agreed that there was a clear response to risks
identified and application of controls within the DMO. However, the majority stated otherwise.
0
1
2
3
4
5
6
7
1. a) b)ME
FM
I R
egio
n C
oun
trie
s
Step One: Understand and document business activities
Strongly AgreeAgreeNeutralDisagreeStrongly DisagreeSkipped
0
1
2
3
4
5
6
7
2. a) b)
ME
FM
I R
egio
n
Cou
ntr
ies
Step Two: Risk Identification and Assessment
Strongly Agree
Agree
Neutral
Disagree
Strongly Disagree
Skipped
Figure 18: Implementation of step one of ORM framework
Figure 19: Implementation of step two of ORM framework
47
Figure 20 shows nine respondents (53 percent) stated that they practice mitigation and control
of risks such as having a back-up generator to reduce impact of power disruption. This is the
one main aspect of risk response and control that is widely practised in the MEFMI region,
together with some form of risk acceptance at 47 percent of the respondents. However, the
majority do not respond or control risks within their DMOs by avoiding or transferring the
risks.
4.9.4 Implementation process
A majority of the MEFMI countries do not effectively implement the ORM framework. Less
than 40 percent of the respondents practice the different aspects of overseeing the
implementation of the controls and mitigation techniques as seen in Figure 21. The exception
being training of DeM staff to understand their roles and ensure compliance with ORM policies
and procedures, which is done by 41 percent of the respondents.
0123456789
3. a) b. i) ii) iii) iv)
ME
FM
I R
egio
n C
oun
trie
s
Step three: Risk Response and Controls
Strongly Agree
Agree
Neutral
Disagree
Strongly Disagree
Skipped
0
1
2
3
4
5
6
7
4. a) b) c) d)
ME
FM
I R
egio
n C
oun
trie
s
Step Four: Implementation Process
Strongly Agree
Agree
Neutral
Disagree
Strongly Disagree
Skipped
Figure 20: Implementation of step three of ORM framework
Figure 21: Implementation of step four of ORM framework
48
There is insufficient risk awareness with external parties to cover all activities external to
DMO, inadequate documentation of mitigation strategies and controls, and a lack of a well-
developed BCP and DRP with annual testing of the same as narrated in Table 18.
4.9.5 Monitoring and reporting performance
Figure 22 shows less than 30 percent of the respondents agreed that there was monitoring of
key risks by debt managers and / or risk unit, and that there was regular reporting to senior
management on key risks and significant incidents. More than ten respondents were neutral,
disagreed or skipped the question showing inadequate monitoring and reporting performance
on operational risks.
4.9.6 Continuous improvement
An analysis of implementation of the sixth step of the ORM framework within the MEFMI
region countries showed a majority (more than 70 percent of respondents) have no processes
to increase risk awareness of all staff. More than 50 percent also stated there was no full and
visible support from senior management on ORM as represented in Table 18 and Figure 23.
0
1
2
3
4
5
6
5. a) b)
ME
FM
I R
egio
n
Cou
ntr
ies
Step Five: Monitoring and Reporting performance
Strongly AgreeAgreeNeutralDisagreeStrongly DisagreeSkipped
012345678
6. a) b)ME
FM
I R
egio
n C
oun
trie
s
Step Six: Continuous improvement
Strongly Agree
Agree
Neutral
Disagree
Strongly Disagree
Skipped
Figure 22: Implementation of step five of ORM framework
Figure 23: Implementation of step six of ORM framework
49
4.10 Familiarity with techniques of operational risk management framework
The literature review identified a number of tools or techniques that can be used to effectively
operationalize the ORM framework. The MEFMI region countries were asked to respond on
their familiarity with some of these techniques, the analysis of which is shown in Figure 24.
A majority of the respondents (53 percent) were familiar with key risk indicators and effective
reporting on operational risks as techniques of ORM framework. However, the majority of the
respondents at more than 80 percent were not well versed with the RCSA tool. Also, more than
50 percent were not familiar with incident reporting and scenario analysis.
4.11 Current implementation of the ORM framework techniques in the MEFMI region
The MEFMI region countries were asked if they practice and utilise any of the five identified
ORM framework techniques. The findings in Figure 25 showed that only about 35 percent
practised incident reporting in their DMOs while 29 percent used KRIs and effective reporting
as ORM framework tools. About 59 percent (10 out of 17) of the respondents practice and
utilize at least one of the ORM framework tools, with as few as three respondents using RCSA
and scenario analysis as displayed in Table 10.
0
1
2
3
4
5
6
7
8
IncidentReporting
Risk andControl Self-Assessment
(RCSA)
ScenarioAnalysis
Key RiskIndicators
(KRIs)
Effective Reporting – on
operational risks and action taken
ME
FM
I R
egio
n C
oun
trie
s
Techniques of applying ORM Framework
HighlyFamiliarFamiliar
Neutral
HardlyFamiliarNot at allFamiliarSkipped
Figure 24: MEFMI Region countries familiarity to the techniques of ORM framework
50
Table 10: MEFMI region practice of the tools for ORM within the DMOs
Tools for ORM Practicing MEFMI Region Countries
Incident Reporting Mauritius, Uganda (Central Bank and Ministry), Kenya (Central Bank and Ministry) and Zambia
Risk and Control Self-assessment (RCSA)
Namibia (Ministry), Uganda (Central Bank) and Kenya (Central Bank)
Scenario Analysis Mauritius, Zimbabwe and Botswana
Key Risk Indicators (KRIs) Namibia (Ministry and Central Bank), Kenya (Ministry), Botswana and Uganda (Central Bank)
Effective Reporting Mauritius, Kenya (Ministry), Zimbabwe, Botswana and Uganda (Central Bank)
None Tanzania (Central Bank)
Skipped Mozambique, Rwanda, Lesotho, Malawi, Tanzania (Ministry) and Swaziland
0.35
0.18 0.18
0.29 0.29
0.00
0.05
0.10
0.15
0.20
0.25
0.30
0.35
0.40
IncidentReporting
Risk and ControlSelf-Assessment
(RCSA)
ScenarioAnalysis
Key RiskIndicators (KRIs)
EffectiveReporting
Lev
el o
f Im
ple
men
tati
on
Figure 25: Utilization of the ORM framework tools in the DMOs within the MEFMI region
51
5.0 RESULTS DISCUSSION
5.1 Discussion of Hypothesis One
Hypothesis one stated: there are inadequate ORM principles in the DMOs (that is, inadequate
sound operational risk governance practices and risk management environment) negatively
affecting government debt management.
The results indicate there are few adequate sound operational risk governance practices with 8
out of 17 respondents (47 percent) stating that line managers in all DeM functions are
responsible for identifying and managing risks in their functions. The main constraints to sound
operational risk governance were absence of an independent ORM function and absence of a
strong risk culture and communication on ORM. Only 3 out of 17 respondents (18 percent)
stated that an independent ORM function exists [Mauritius, Namibia (Ministry) and Kenya
(Central Bank)]. 5 out of 17 respondents (30 percent) that is, Kenya (Ministry and Central
Bank), Namibia (Ministry and Central Bank) and Mauritius, stated that there was a strong risk
culture and communication on ORM as shown in Table 16 and Figure 13. Four respondents
skipped the question, that is, Mozambique, Malawi and Tanzania (Ministry and Central Bank).
The results further show that there is inadequate risk management environment. More than 10
out of 17 respondents (59 percent) identified constraints to an appropriate risk management
environment as inadequate awareness of the major operational risk exposures by senior
management; failure by the Minister or Head DMO to take the lead in establishing a strong risk
management culture; lack of clarity on roles, responsibilities and objectives of government
institutions responsible for DeM and ORM; lack of an annual report prepared to inform
legislature and the public on the outcomes of DeM strategy and operations; and lack of annual
external audits done of DeM activities, information technology and risk control procedures.
These respondents include, Rwanda, Lesotho, Swaziland, Uganda (Central Bank),
Mozambique, Malawi, Tanzania (Ministry and Central Bank) and in some aspects Zimbabwe
and Zambia.
The results on the practice of the two ORM principles within the MEFMI region therefore
supported the hypothesis.
5.2 Discussion on Hypothesis Two
Hypothesis two stated: there is very limited level of engagement of both internal and external
audit of the DMOs operations of the MEFMI member countries.
52
Hypothesis two addresses the low DeMPA rating of MEFMI member countries for the DPI
relating to audit as shown in Figure 6. This was analysed as part of the practice of sound ORM
principles in Figure 13 and Table 16.
The results showed that there is some level of independent review by both internal and external
audit of the DMOs’ operations with 9 out of 17 respondents (53 percent) agreeing. However,
the other 47 percent representing six MEFMI countries that is, Uganda (Ministry and Central
Bank), Tanzania (Ministry and Central Bank), Malawi, Mozambique, Lesotho and Swaziland
were neutral, disagreed or skipped the question. The level of engagement was then determined
in the results on the practice of appropriate risk management environment.
76 percent disagreed, were neutral or skipped providing an answer on whether there is
comprehensive and regular internal audit of the ORM framework by independent, trained and
competent staff. Only four countries (24 percent) agreed with this statement, namely Mauritius,
Botswana, Namibia (Central Bank) and Rwanda. 65 percent also disagreed, were neutral or did
not respond on senior management safeguarding independent audit arrangements that act as
check mechanisms on the operational risks of the DeM operations. These findings were
therefore consistent with the hypothesis.
There was therefore some form of governance practice through independent review by both
internal and external audit, however, poor risk management environment through inadequate
comprehensive and regular internal audit of the ORM framework and inadequate senior
management support in safeguarding independent audit arrangements. The findings on limited
engagement of both internal and external audit were consistent with the hypothesis.
5.3 Discussion on Hypothesis Three
Hypothesis three stated: there is poor level of implementation of ORM framework and limited
ORM framework tools within the MEFMI member countries.
The results show that there are no well-established ORM systems and drivers that would
advocate proper design and acceptance of ORM framework in the DeM offices. Table 17 and
Figure 14 show that more than 12 out of 17 (70 percent) respondents did not know, disagreed
or skipped the questions/statements addressing the different aspects of governance, culture and
awareness and policies and procedures that influence design and acceptance of ORM
framework in the DMO. Only five respondents agreed with the statements namely, Mauritius,
Namibia (Ministry), Botswana and Kenya (Ministry and Central Bank).
53
The results as represented in Table 18 and Figure 17 show that there is inadequate
implementation of the ORM framework six-step process in the DMOs of the MEFMI region.
More than 10 out of 17 respondents (59 percent) do not practice step one, two, four, five and
six of the ORM framework process. However, about 53 percent practice mitigation and control
of risks, which is step three of the ORM framework process. The ORM framework is therefore
poorly practiced in the MEFMI region with only less than 35 percent having partially
implemented it as summarised in Table 11 below.
The results illustrated in Figure 25 further show that there is limited implementation and
practice of the ORM framework tools. Only about 35 percent (6 out of 17 respondents)
practiced incident reporting in their DMOs while 29 percent (5 respondents) used KRIs and
effective reporting as ORM framework tools. The results supported the hypothesis.
5.4 Discussion of Findings
The first objective of the study was to establish the current level of implementation of ORM
principles in the DMOs in each MEFMI member country. The findings showed that the two
aspects of ORM principles, that is, sound operational risk governance practices and an
appropriate risk management environment had not been adequately implemented. There was
limited practice of an independent ORM function, neither a strong risk culture nor good
communication on ORM and limited level of engagement of both internal and external audit.
These findings were supported by the MEFMI countries DeMPA’s debt performance indicators
5, 12 and 13. These findings were also consistent with Magnusson et.al (2010), who stated that
government DeM operational risks often stem from shortcomings in business processes,
systems and human resource policies. These are clearly areas for improvement through
capacity building within the MEFMI region for better implementation of ORM principles.
The second objective sought to identify the key gaps, and causes of the gaps, to sound
operational risk governance practices and an appropriate risk management environment. The
results indicated inadequate governance structures on where and how the ORM function
reports; inadequate communication on operational risks and ORM framework; and limited
ORM policies and procedures in DeM. Some of the constraints identified included: limited or
inadequate resources, capacity and skills including staffing; lack of knowledge and
understanding of ORM principles and framework; and inadequate policies and procedures on
ORM. The MEFMI countries DMOs should thus work at addressing the gaps and the identified
causes. This can be done through change of the internal governance structures, continuous
54
capacity building to senior management and all DeM staff in building and reinforcing the
importance and understanding of ORM in the DeM functions.
As for the third objective, the findings suggested that there was limited existence of an ORM
framework governing the specific programmes used in the DMOs. A majority of the MEFMI
region respondents do not practice the six-step ORM framework process, although more than
50 percent do deploy some risk mitigation and control procedures. However, about 41 percent
(seven respondents) did not utilize any of the ORM framework tools. There was therefore an
identified gap in relation to the application of the ORM framework tools which should be
addressed.
The results, summarised in Table 11, show that there are some countries that have implemented
some form of ORM principles and framework in their DeM operations, namely: Mauritius,
Namibia, Kenya, Uganda and in some instances Botswana and Zimbabwe. The other countries
are lagging behind this group, in some cases significantly so. The MEFMI region countries that
consistently emerged from the results as having very little or no ORM practices are
Mozambique, Lesotho, Swaziland, Tanzania, Malawi and in some instances Rwanda, Uganda,
Zambia and Zimbabwe.
Table 11: Summary of implementation of some ORM practices within the MEFMI region DMOs
Implementation of ORM Principles and Framework
ORM Principles
Sound operational risk governance practices
Line managers are responsible for identifying and managing risks in their functions (Zambia included)
Independent review by internal and external audit of DeM operations (Rwanda included)
Strong risk culture and good communication on ORM
Mauritius Namibia Kenya Uganda (Ministry) Botswana (partially) Zimbabwe (partially)
Appropriate risk management environment
Senior management are aware of the major operational risk exposures
There is clarity of roles, responsibilities and objectives of government institutions responsible for DeM and respective ORM
Annual external audits of DeM activities, information technology and risk control procedures is done (Zambia included)
ORM Drivers
Governance ORM function is important and relevant to the DMO
ORM function lies within the middle office of the DMO
Mauritius Botswana Namibia Kenya (partially)
55
Implementation of ORM Principles and Framework
Operational risk function owns business continuity planning
Zambia Zimbabwe
Culture and awareness
There is a change program designed to identify, assess, monitor, control and mitigate operational risks
Operational risk function has undertaken proactive communication to promote ORM framework
Mauritius Namibia (Ministry) Botswana
Policies and procedures
There is an operational risk policy (could be part of the overall risk management policy) on government debt management.
Mauritius Namibia (Ministry) Botswana Kenya
ORM Framework (six-step process)
Step 1: Understand and document business activities
The DeM operations are understood and documented into activities and processes
Each DeM function has a stated objective and key risks identified
Mauritius Namibia Kenya Uganda (Ministry) Zambia
Step 2: Risk identification and assessment
There is rating on likelihood of occurrence and impact of the risks identified
Engagement discussions for each DeM function have been applied for staff involvement to develop risk understanding & culture in the DMO
Mauritius Namibia Kenya Zimbabwe Uganda (Central Bank)
Step 3: Risk response and control
There is a clear response to the risks identified and application of controls
Through, Risk avoidance, Mitigation and control of risk and risk acceptance. Also practiced by Zambia, Rwanda and Tanzania (Central Bank)
Mauritius Namibia Kenya Uganda (Central Bank) Zimbabwe
Step 4: Implementation process
There is training for DeM staff and managers to understand their roles and ensure compliance with ORM policies and procedures
Mitigation strategies and controls are documented in procedures and monitored
Mauritius Namibia Kenya Zimbabwe Uganda (Central Bank)
Step 5: Monitoring and reporting performance
There is monitoring of key risks identified, assessed and sources of the risks by debt managers and risk monitoring unit/champion
Regular reporting to senior management on key risks, significant incidents & review process is in place
Botswana Uganda (Central Bank) Kenya (Central Bank) Zimbabwe
Step 6: Continuous Improvement
There is an increase in risk awareness to all staff
There is full and visible support of senior management
Botswana Mauritius Namibia Kenya Zimbabwe
56
Implementation of ORM Principles and Framework
Uganda (Central Bank)
ORM Framework Tools
Summarised in Table 10: MEFMI region practice of the tools for ORM within the DMOs
Some of the principles that the MEFMI countries DMOs could employ, and the benefits that
would flow, include: appropriate management oversight which would establish a strong risk
management culture; transparency and accountability evidenced by clarity in roles and
responsibilities; stronger roles for internal and external auditors reinforcing regular and
comprehensive independent examination and assessment of DMOs’ ORM framework; and
public disclosure for development of better DeM practice through management discipline and
accountability.
5.5 Summary
About 53 percent of the MEFMI region countries’ DeM functions are fragmented than
consolidated in one location and not organised along functional lines. This suggests that there
is an opportunity for the MEFMI region to improve their DeM functions’ governance structure
to benefit from consolidated and organised functional lines which ensure implementation of
internal controls and accountability.
Whilst it was evident from the findings that most MEFMI countries remained conscious of
risk exposures and the impact that they would face if the risk events occur, a majority of the
respondents do not practice or know about the practice of ORM in their DeM functions. None
of the respondents carries out overall risk management and ORM using risk champions or
coordinators and/or a risk monitoring unit. This is therefore an area that has remained
unexplored within the MEFMI countries and provides an avenue for capacity building.
The inadequate practices in relation to the ORM drivers include:
failure of ORM function to report directly to the Head DMO or Ministry’s chief risk officer;
there are no operational risk coordinators or champions in the DeM units who communicate
regularly with the central operational risk team;
the operational risk function does not own business continuity planning;
the operational risk function is not proactive in communicating, planning and training to
promote ORM or facilitate culture change;
57
the lack of an operational risk policy; and
lack of policies and procedures that address the use of ORM framework tools.
These inadequacies were attributed mainly to lack of knowledge and understanding on ORM;
limited resources, such as staffing, capacity and skills; inadequate policies and procedures on
ORM; inadequate structures on internal and external audit of DeM operations; and poor sound
operational risk governance practices.
From the constraints identified to the implementation of ORM drivers, the main areas of future
focus would be to build capacity and understanding of ORM drivers, and strengthening the
resources within the DMOs on ORM. There is also limited implementation of the ORM
framework six-step processes, providing an opportunity for its practical exposure within the
region. Whereas a number of the respondents were familiar with some of the ORM framework
tools, the actual practice of the methods was mostly minimal. There is therefore a wide gap in
understanding and utilization of ORM framework tools within the MEFMI region, which offers
an avenue for knowledge sharing on the same to effectively improve and enhance the ORM
practices within the DMOs.
58
6.0 CONCLUSION AND RECOMMENDATIONS
6.1 Practical Application to the MEFMI Member Countries
The literature has provided a broad narrative on what is expected of a DMO in applying and
implementing ORM principles, framework, tools and business continuity policies. A
summarised practical roadmap on implementation of these best practices is important in
assisting the debt managers in each MEFMI member country.
Firstly, the DMO in each MEFMI member country needs to develop sound operational risk
governance practices. This can be achieved by setting up policies and procedures to: a) ensure
debt managers own and manage risk and control by being responsible for identifying and
managing the risks in their activities, processes and systems; b) establish an independent ORM
function or risk monitoring unit within the middle office; c) plan for independent reviews by
both internal and external auditors of the DeM operations and ORM controls, processes and
systems.
Secondly, develop an appropriate risk management environment through full and visible
support of senior management. The Minister or the Head of DMO should take the lead in
continuously emphasising the importance of operational risk awareness and ensuring that
adequate policies and procedures are in place to support a strong risk management
environment. This can be done by initiating and safeguarding effective and comprehensive
internal audits of DeM activities, systems and control procedures, facilitating regular external
audits and ensuring sufficient public disclosure through an annual report on the DeM operations
and outcomes of the DeM strategy.
Thirdly, reinforce the risk management environment by appropriately placing the ORM
function independently or in the DMU’s middle office and ensuring that risk champions are
trained to perform their functions. This can also be achieved through a change programme
where the operational risk function would undertake proactive communication, careful
planning and excellent training for all staff to ensure their participation and involvement in
managing operational risks. An ORM policy should be prepared which could be part of the
overall risk management policy on government DeM.
Fourthly, manage the operational risks through a framework that will cover the DMO risk
appetite and tolerance as specified in the policies for managing this risk. The DMO can develop
a framework that works for it in outlining how to identify, assess, monitor and mitigate the
59
risks. The following steps could be engaged; a) senior management appointing a risk champion
or risk monitoring unit from the middle office to lead and guide the process; b) convene
workshops and discussion sessions to ensure all debt management operations are clearly
understood and documented, breaking down the main DeM functions into activities and
processes, each with a stated objective; c) then identify and document the risks associated with
each process, rating them on the likelihood and impact of the risk indicated; d) determine the
risk mitigation strategies and controls; e) conduct risk awareness sessions and initiate reporting
structures and continuous monitoring of the operational risks to ensure they are managed;
f) identify the line manager responsible for managing and controlling each of the identified
risks requiring them to report periodically.
Finally, develop ORM tools to facilitate the management of operational risks. The DMO senior
management with the guidance of the risk champion / ORM unit should evaluate the different
tools available and begin with one at a time for better buy-in from staff. Taking into account
the possibility of limited resources and capacity, a step by step approach should be used in
implementing the tools. It is easier when the incident reporting and RCSA formats are provided
by the ORM unit for standardization of the reports. It is important to note that reporting of
incidents does not imply blame and penalty. It is done to identify areas of improvement, to
continuously build risk awareness and culture, and develop risk mitigation techniques.
Reports should be prepared on incidents within a given period, remediation action being taken,
KRIs (if any), results of RCSA and scenario analysis. As noted above, the reporting should
also focus on addressing where the risk is, what action needs to be taken, who is under control
and who is not. Operational risk managers should also analyse the raw data, analyse trends and
predictors through KRIs and present opinions and recommend action and mitigation strategies.
Some of the practical measures can be implemented even by the poorest MEFMI member
countries as they mainly require commitment from the senior management and participation
and involvement of all debt managers in owning and mitigating operational risks within their
functional units. Whereas the other practical implementation procedures require additional
resources through training, engagement of qualified staff, change of governance processes and
inculcating the risk management culture, the MEFMI member countries can begin the process
incrementally. They can also continue seeking the support of partners (such as, MEFMI, World
Bank and IMF) to build capacity and effectively implement the ORM principles, framework,
tools and BCP policies.
60
6.2 Policy Recommendations
The findings established that MEFMI region countries have not effectively implemented ORM
principles and framework for better management of their debt operations. It is therefore
important for each MEFMI country to implement sound operational risk governance and
establish an appropriate risk management environment. MEFMI as an institution could
intensify efforts to provide resources for practical support and capacity building within the
region; support could also be sought from other donors e.g. the Debt Management Facility
managed by the World Bank. The MEFMI countries could also partner and collaborate with
other institutions that are willing to offer and provide them with resources to understand and
gain knowledge on ORM in DeM operations.
An emphasis on good DMO internal governance structures, adequate policies and procedures,
and culture and awareness on operational risks would reinforce oversight, understanding of
ORM, internal and external auditors’ third line of defence roles, and transparency and
accountability. Countries should thus ensure that they include operational risk policy in the
overall risk management policy, and train and communicate on ORM to create awareness and
develop adequate governance structures for proper reporting and monitoring of operational
risks within the DeM operations. This could be done by establishing an independent ORM
function or risk monitoring unit within the middle office.
Business continuity planning is the development, implementation and maintenance of policies,
frameworks and programmes to assist the DeM manager in case of a business disruption
(Storkey, 2011). The findings showed that only 29 percent had developed a BCP and DRP that
are tested annually. To effectively implement a BCP, business impact analysis is essential.
There should also be regular testing of the BCP and DRP to facilitate resumption of operations
in the event of a disruption. The BCP/DRP process should be highlighted within the MEFMI
region and adequate capacity provided to ensure that plans are tested annually.
Implementation of the six-step process is important for proper understanding and
documentation of business activities; identification and assessment of risk; providing
appropriate risk response and controls; implementation of risk mitigation; monitoring and
reporting performance; and continuous improvement. Use of an ORM framework therefore,
should be adequately developed within the MEFMI region.
The practice of incident reporting, RCSA, identification of KRIs, scenario analysis and
effective reporting is important to operationalize the ORM framework and to effectively
61
manage the ORM process. The tools would be best implemented one at a time for better buy-
in from staff. This would also factor in limited resources and capacity. The DMOs within the
MEFMI region can be trained on the different techniques and practical application reinforced
for effective ORM of the debt operations. Table 12 summarises the areas for improvement with
an indication of priorities and timeline.
Table 12: Summary on ORM improvement and prioritisation areas for policy adoption
Improvement area Implementation action Action initiator 1. Adoption of sound operational risk
governance practices, specifically: - a) The ORM team needs to have a reporting
structure that provides oversight and an effective route for escalation and approval.
b) Each line manager made responsible for ORM in their own business area in the DeM operations.
c) Implement an independent ORM function to act as second line of defence
d) Safeguard and ensure an independent review of DeM operations through both comprehensive and regular internal and external audits.
Immediate implementation within six months to one year
The importance of
ORM and participation by all staff needs to be
signalled by senior management
Minister / Head of DMO
2. Building an appropriate risk management environment, through: - a) Adequate management oversight by
taking the lead in establishing a strong risk management culture
b) Enhanced transparency and accountability through clarity of roles and responsibilities for ORM in DeM operations
c) Enhance public disclosure of DeM operations including approach to handling ORM.
Incremental implementation within six months to one year
Head DMO (with clear support of the Minister)
3. Institute ORM drivers, namely: - a) ORM governance by determining where
to best place ORM and what functions ORM should perform
b) Building ORM culture and awareness to all staff through continuous communication and engagement
c) Establishing supporting policies and procedures such as developing an ORM policy
Incremental
implementation within 12 months to two years
Head DMO / Senior Management / Head ORM / Head Middle Office
4. Developing an ORM Framework through the six-step process a) Each line manager needs to be
responsible for ORM in their own functional area
Incremental process as senior management
seek to understand and outline to all staff in the DMO the importance of
Senior Management supported by Line Managers
62
Improvement area Implementation action Action initiator b) It is then advisable that a risk champion
be appointed from the middle office to lead and guide the process of ORM across the DMU
ORM and the need for their participation and
involvement
5. Implementation of ORM Framework tools or techniques
Step by step implementation of the
tools of ORM framework for better buy-in and support
from staff and management within 12
months to 2 years
Senior Management / Head ORM or Middle Office Head and supported by Line Managers
6. Build BCP and DRP policies and procedures for resilience in the event of a business disruption. This is done by: - a) performing a BIA b) developing mitigation strategies to
ensure continuity of operations c) developing BCP/DRP in accordance
with international standards d) annual reporting of BCP/DRP to DMO
senior management
Immediate implementation within six months to one year
Head DMO (with clear support of the Minister) / Senior Management / Head ORM / Head Middle Office (with support from IT and other functions in wider Ministry)
Step-by-step implementation of the above processes would also take account of limited resources, capacity and skills.
Implementation should also take account of opportunities for collaboration with MEFMI and other partner institutions such as World Bank and IMF for capacity building and resource mobilization.
In all cases the Minister and senior management will need to signal the importance attached to
ORM. The next step for individual countries would be the development of more detailed work
plans; that goes beyond this study, but as indicated above and certainly in the more resource-
constrained countries, it is likely to require donor or consultancy support, at least in the first
instance. For example, MEFMI could provide technical assistance support to a newly-
appointed risk champion to populate risk registers and facilitate the assessment process.
Specialist consultants can contribute to the preparation of a BCP/DRP.
6.3 Conclusion
Whilst 70 percent of DMUs were familiar with ORM, less than 40 percent practically
implemented and practiced the different aspects of ORM within their DeM functions. Business
continuity plans had also not been effectively developed and established or tested annually.
The MEFMI countries should proactively engage and allocate some resources or partner with
willing institutions to build capacity in ORM and take practical steps for effective BCP.
63
The constraints identified to sound operational risk governance practices and an appropriate
risk management environment should be addressed to reinforce ORM practice. ORM
framework and techniques should be developed gradually as the senior management and DeM
staff seek to understand and embrace ORM within the DeM operations.
There are a number of limitations that may have affected or influenced the results of the study.
Target respondents were from both Ministry and Central/Reserve Banks in all MEFMI member
countries. However, with limited resources available for the research, not all countries provided
responses from both their Ministry offices and Central Banks where some of the debt
management functions are performed. This may not have provided all the information on the
practice of ORM within the DeM offices in all MEFMI countries.
Further, more than one response from each country and each DeM office would have provided
more collaborative information to affirm the responses given by one respondent. To mitigate
this risk, responses were sought from experienced and senior staff from the MEFMI countries.
This was however probably not completely sufficient to remove the bias of a single respondent;
inferences and conclusions may reflect respondents’ personal opinions. The earlier data
obtained on DeMPA’s debt performance indicators 5, 12 and 13 for the MEFMI region
however offer some collaborative information.
The study was carried out across the MEFMI region, this meant that the questionnaires were
mainly sent through email and an online platform provided for response. Follow up was mainly
through email, phone calls and automated online reminders. In addition, some respondents
were slow in returning their questionnaires forcing the researcher to constantly send reminders
and make phone calls to follow up. Questionnaires were used as the main data gathering
technique. This technique has some potential weaknesses such as ambiguity of the questions
and possibility of personal biases.
Arguably the main priority now is for MEFMI countries to engage with these findings and
identify what needs to be done to improve their ORM environment and practices.
Notwithstanding that, and despite the in-depth coverage of this research and its findings, there
still exists a gap that future researchers could explore. Whilst operational risks are experienced
in the day-to-day operations, the awareness of their management is critical to minimize the
potential consequences. Continuous awareness and establishment of a strong risk culture is
important and this will continue to generate new areas and ways of managing operational risks
64
within the DeM functions. Owing to the continuous nature of operational risks, further research
can be conducted on new ways for managing them within the DeM operations.
Further studies should attempt to achieve a larger collaborated sample across all the DMOs
within the MEFMI region from both the Ministry and Central Bank. The current study being
exploratory and specific to the MEFMI region, additional research can be carried out on a wider
scale. This could be through conducting surveys on other regional blocks within Africa such
as COMESA (Common Market for Eastern and Southern Africa) and ECOWAS (Economic
Community of West African States). Additional studies can be done across other continents
and provide for a comparative analysis between the African regional blocks and comparable
groups in other continents.
65
REFERENCES
Aina, Ayodeji (2013), “Risk Assessment for Business Continuity Management”, World Bank Treasury. www.treasury.worldbank.org
Basel Committee on Banking Supervision (2011), “Principles for the Sound Management of Operational Risk”, Bank for International Settlements http://www.bis.org/publ/bcbs195.htm
Basel Committee on Banking Supervision (2003), “Sound Practices for the Management and Supervision of Operational Risk”, Bank of International Settlements (BIS). Retrieved from www.bis.org/publ/bcbs96.htm http://www.bis.org/bcbs/index.htm
Basel Committee on Banking Supervision (1998), “Operational Risk Management”, Bank for International Settlements http://www.bis.org/publ/bcbs42.pdf
Basel II Accord Section 664 – 683, “Advanced Measurement Approaches (AMA)” http://www.basel-ii-accord.com/BaselText/Basel664to683.htm
Basel II “International Convergence of Capital Measurement and Capital Standards: A revised Framework”, published by the Bank for International Settlements in June 2006 http://www.bis.org/publ/bcbs128.htm
Blommestein, H., ed. (2002), “Public Debt Management and Government Securities Markets in the 21st Century”, OECD, Paris
Blumberg Boris, Cooper Donald R. and Schindler Pamela S. (2011), “Business Research Methods”, Third European Edition, McGraw Hill Education
Central Banking Publications Ltd. (2000), “Risk Management for Central Bankers”, UBS Warburg
Committee of Sponsoring Organisations (COSO) of the Treadway Commission (2013), “Internal Control – Integrated Framework: Guidance on Monitoring Internal Control Systems” http://www.coso.org
Cooper, D. R. and Schindler, P. S. (2003) “Business Research Methods”, 8th edition. New Delhi, Tata McGraw-Hill COSO (2013), “The Three Lines of Defense in Effective Risk Management and Control”, Institute of Internal Auditors (IIA) https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Position-Papers.aspx
COSO (2004), “Enterprise Risk Management – Integrated Framework”, COSO www.coso.org
Ernst & Young (2013), “Operational Risk Management: Deriving Greater Value from your Risk and Control Assessment Program” Presentation
Giavazzi, F. and A. Missale (2004), “Public Debt Management in Brazil”, NBER Working Paper 10394, March 2004
Girling P., Shimko D. and Went P. (2010), the GARP Risk Series, “Operational Risk Management”, Global Association of Risk Professionals (GARP)
66
Internal Control – Integrated Framework, Committee of Sponsoring Organisations of the Treadway Commission (Jersey City, NJ: American Institute of Certified Public Accountants May 2013). See: coso.org International Monetary Fund (IMF) and World Bank (2014), “Revised Guidelines for Public Debt Management”, IMF and World Bank, Washington D.C. https://www.imf.org/external/np/pp/eng/2014/040114.pdf International Organization for Standardization (2011), “ISO-27031: Information Technology–Security Techniques–Guidelines for Information and Communication Technology Readiness for Business Continuity” Retrieved from http://www.iso.org/iso/catalogue_detail?csnumber=44374
International Professional Practices Framework - IPPF (2013), “International Standards for the Professional Practice of Internal Auditing”, Institute of Internal Auditors (IIA)
Magnusson T., Prasad A. and Storkey I. (2010), “Guidance for Operational Risk Management in Government Debt Management”, World Bank. Retrieved from http://go.worldbank.org/GLNMQ6PVA0 http://siteresources.worldbank.org/INTDEBTDEPT/RelatedPapers/22491571/OperationalRiskManagement201003.pdf
Magnusson et al. 2010, Operational Risk Management Framework Six-step Process
McNamee David and Selim Georges (1998), “Risk Management: Changing the Internal Auditor’s Paradigm”, The Institute of Internal Auditors Research Foundation
MEFMI In-Country Workshop (2015), “Public Debt Management Performance Assessment (DeMPA)”
OECD (2005), “Overview of Advances in Risk Management of Government Debt, Financial Market Trends”, No.88, March 2005
OECD (2005), “Management of Operational Risk by Sovereign Debt Management Agencies” in Advances in Risk Management of Government Debt, OECD, Paris, pp. 67-88
Pandey M. and Dar Juan T. (2013), “Managing and Integrating Information Technology Risks Into the Operational Risk Framework”, Information Technology Solutions, World Bank Group
Pearson Learning Solutions (2014), “Foundations of Risk Management” Financial Risk Manager (FRM®) Part I, 4th Custom Edition for Global Association of Risk Professionals (GARP)
Prasad Abha, Pollock Malvina and Li Ying (2013), “Small States Performance in Public Debt Management”, World Bank, Policy Research Working Paper 6356 http://documents.worldbank.org/curated/en/2013/02/17225559/small-states-performance-public-debt-management
Shimpi, P.A. (2001), “Integrating Corporate Risk Management”, Texere, New York
Storkey, Ian (2011), “Operational Risk Management and Business Continuity Planning for Modern State Treasuries”, International Monetary Fund (IMF) Fiscal Affairs Department. Retrieved from https://www.imf.org/external/pubs/ft/tnm/2011/tnm1105.pdf
67
The Three Lines of Defense in Effective Risk Management and Control, (Altamonte Springs, FL: The Institute of Internal Auditors Inc, January 2013). Available at https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Position-Papers.aspx Tokaç H. and Williams M. (2013), “Government Debt Management and Operational Risk: A Risk Management Framework and its Application in Turkey”, SIGMA Papers, No.50, OECD Publishing. http://dx.doi.org/10.1787/5k483jnqxtms-en http://www.oecd.org/site/sigma/publicationsdocuments/SIGMA_SP50E_2013.pdf
Wheeler, Graeme (2004), “Sound practice in government debt management”, Washington, DC: World Bank. Retrieved from http://documents.worldbank.org/curated/en/2004/01/3583110/sound-practice-government-debt-management
Williams, Mike (2013), Presentation on Operational Risk Management at DMF Stakeholder’s forum in Berlin http://siteresources.worldbank.org/INTDEBTDEPT/Resources/468980-1170954447788/3430000-1358445852781/DMF2013_Session05_Williams.pdf
World Bank (2015), “Debt Management Performance Assessment (DeMPA) Tool”, World Bank, Washington, D.C., http://documents.worldbank.org/curated/en/2015/06/24572870/debt-management-performance-assessment-dempa-methodology
World Bank (2015), “Disaster Risk Financing and Insurance (DRFI) Program”, IBRD – IDA, http://www.worldbank.org/en/programs/disaster-risk-financing-and-insurance-program
World Bank (2010), “Guidance for Operational Risk Management in Government Debt Management”, World Bank, D.C., http://go.worldbank.org/48MIDC8BH0
World Bank (2011), “Debt Management Performance Assessment (DeMPA) and Reform Plan Design”, MDB Meetings Washington DC, Retrieved from http://go.worldbank.org/W7V1F1A6S0 http://siteresources.worldbank.org/INTDEBTDEPT/Resources/468980-1208804666078/4918561-1304453546921/MDB2011_14.pdf
68
APPENDICES
Appendix 1: Tables on Data Analysis
Table 13: Response rate
No. Country Response received DeMPA
done Expected Response
Received Response
1 Angola NO - 1 0
2 Botswana YES NO 1 1
3 Burundi NO - 1 0
4 Kenya YES YES 2 2
5 Lesotho YES YES 2 1
6 Malawi YES YES 2 1
7 Mozambique YES YES 1 1
8 Namibia YES YES 2 2
9 Rwanda YES YES 1 1
10 Swaziland YES NO 1 1
11 Tanzania YES YES 2 2
12 Uganda YES YES 2 2
13 Zambia YES YES 1 1
14 Zimbabwe YES YES 1 1
Others
15 Mauritius YES NO 1 1
16 Seychelles NO - 1 0
Total 22 17
Aggregate Response Rate 77%
Overall Country Response Rate 81%
Table 14: Quality of respondents
No Level of respondent Percent of responses
Countries
1 Director/Deputy or Assistant Director
35% Rwanda, Uganda (Ministry), Uganda (Central Bank), Namibia (Ministry), Kenya (Ministry) & Lesotho
2 Senior Managers - Functional heads, senior economists, senior dealers or senior analysts
35% Botswana, Mauritius, Kenya (Central Bank), Malawi (Central Bank), Namibia (Central Bank) & Zambia
3 Experts, economists, dealers or analysts
30% Zimbabwe, Swaziland, Tanzania (Ministry), Tanzania (Central Bank) & Mozambique
69
Table 15: MEFMI region countries response to the best practice DMO structure
Response Country
Yes Malawi (Central Bank), Mozambique, Namibia (Central Bank), Kenya (Central Bank), Kenya (Ministry), Zimbabwe (Ministry), Uganda (Ministry) and Mauritius
No Rwanda, Lesotho, Botswana, Zambia, Namibia (Ministry), Swaziland and Tanzania (Central Bank)
Skipped Uganda (Central Bank) and Tanzania (Ministry)
Table 16: MEFMI region implementation and development of ORM principles in the DMO in %
Key: Strongly Agree = SA Agree = A Neutral = N Disagree = D Strongly Disagree = SD Skipped = S
Operational risk management principles SA A N D SD S
1. Sound operational risk governance practices % % % % % %
a) Line managers (in all debt management functions) are responsible for identifying and managing risks in their functions
18 29 12 18 0 23
b) There is an independent operational risk management function
0 18 12 41 6 23
c) There is an independent review by internal and external audit of debt management operations
18 35 6 6 6 29
d) There is a strong risk culture and good communication on operational risk management
12 18 23 12 6 29
2. Appropriate risk management environment
a) Senior management are aware of the major operational risk exposures, approve and periodically review the operational risk management framework.
12 29 12 12 6 29
b) Senior management safeguard independent audit arrangements that act as a check mechanism on the operational risks of the debt management operations
0 35 12 18 6 29
c) The Minister or Head of DMO has taken lead in establishing a strong risk management culture
6 23 12 18 6 35
d) Comprehensive and regular internal audit of the operational risk management framework is done by independent, trained and competent staff
6 18 23 18 6 29
e) There is clarity of roles, responsibilities and objectives of government institutions responsible for debt management and respective operational risk management
12 23 12 18 6 29
f) An annual report is prepared to inform the legislature and the public on the outcomes of debt management strategy and operations
12 18 6 17 12 35
70
g) Annual external audits of debt management activities, information technology and risk control procedures is done
12 29 6 12 6 35
Table 17: Different aspects of the three drivers of ORM and their percentage representation on influencing design and acceptance of ORM framework in the DMO
Key: Mean = Weighted Average Std. Dev = Standard Deviation
Drivers of operational risk management SA A N D SD S Mean Std. Dev
1. Governance % % % % % %
a) Operational risk management function is independent, important and relevant to the debt management office
0 41 6 24 0 29 2.75 0.92
b) Operational risk management function lies within the middle office of the debt management office with other risk management functions
0 41 0 29 0 29 2.83 0.99
c) Operational risk management function reports directly to Head of Debt Management Office
0 24 18 29 0 29 3.08 0.86
d) Operational risk management function reports directly to the Ministry’s Chief Risk Officer
0 6 29 35 0 29 3.42 0.64
e) Operational risk management function reports directly to Audit
0 12 18 35 6 29 3.50 0.87
f) There are operational risk coordinators or champions in every debt management unit who have regular communication with the central operational risk team
6 18 12 29 6 29 3.17 1.14
g) Operational risk function owns business continuity planning (from damage to physical assets and business disruptions and system failures)
6 24 12 24 6 29 3.00 1.15
2. Culture and awareness
a) There is a change program designed to identify, assess, monitor, control and mitigate operational risks
0 24 18 24 6 29 3.17 0.99
b) Operational risk function has undertaken proactive communication, careful planning and excellent training to promote and communicate the operational risk management framework
0 18 12 35 6 29 3.42 0.95
c) To facilitate culture change, an effective institution wide training module to educate on importance of operational risk management, role of operational risk team and coordinators was delivered
0 18 18 29 6 29 3.33 0.94
3. Policies and Procedures
71
Drivers of operational risk management SA A N D SD S Mean Std. Dev
a) There is an operational risk policy (could be part of the overall risk management policy) on government debt management.
0 29 12 24 6 29 3.08 1.04
b) Policies and procedures in place cover the minimum requirements for incident reporting, risk and control self-assessment, scenario analysis and KRIs programs
0 24 18 24 6 29 3.17 0.99
Table 18: Implementation of the six-step process of ORM framework in the DMOs
Six-step process of an ORM Framework SA A N D SD S % % % % % %
1. Understand and document business activities
a) The debt management operations are understood and documented into activities and processes
12 29 18 12 0 29
b) Each debt management function has a stated objective and key risks identified
18 23 12 12 0 35
2. Risk identification and assessment
a) There is rating on likelihood of occurrence and impact of the risks identified
6 18 18 23 0 35
b) Engagement workshops and discussions for each debt management function have been applied to ensure all staff involvement to develop risk understanding and culture in the DMO
0 35 18 18 0 29
3. Risk response and controls
a) There is a clear response to the risks identified and application of controls
12 24 23 12 0 29
b) Through
i. Risk avoidance – for example, to avoid the key person risk, more staff have been trained and exposed to the actual job
0 24 29 12 6 29
ii. Transfer of risk – to third party such as insurer (insurance against theft and loss)
0 6 18 41 0 35
iii. Mitigation and control of risk – for example, having a back-up generator to reduce impact of power disruption
6 47 18 0 0 29
iv. Risk acceptance – for example, having a disaster recovery plan (DRP) that is regularly tested to ensure resumption of operations in the event of a disruption
18 29 18 6 0 29
4. Implementation process
a) There is training for debt management staff and managers to understand their roles and ensure compliance with ORM policies and procedures
6 35 18 12 0 29
b) Risk awareness with external parties to cover all activities external to DMO (such as the Ministry’s IT function)
6 24 23 12 6 29
c) Mitigation strategies and controls are documented in procedures and monitored by DMO risk monitoring unit /champion
12 12 23 18 6 29
d) There is a developed BCP and DRP with annual testing 6 23 18 18 6 29 5. Monitoring and reporting performance
a) There is monitoring of key risks identified, assessed and sources of the risks by debt managers and risk monitoring unit/champion
6 23 18 24 0 29
72
Six-step process of an ORM Framework SA A N D SD S % % % % % %
b) Regular reporting to senior management on key risks, significant incidents and a review process is in place
6 18 29 18 0 29
6. Continuous improvement a) There is an increase in risk awareness to all staff 0 29 18 18 6 29 b) There is full and visible support of senior management 6 41 12 12 0 29
73
Appendix 2: Statistics on the MEFMI Countries Debt to GDP Ratio
Table 19: MEFMI Countries Debt to GDP Ratio (Year 2010 to 2015)
Country 2010 2011 2012 2013 2014 * 2015
1 Angola 39.8 32.2 29.6 34.6 38.4 37.8 2 Botswana 19.5 20.1 19.2 16.9 14.8 13.0 3 Burundi 40.3 36.4 35.4 31.8 30.0 28.6 4 Kenya 48.1 54.2 50.0 51.7 47.9 49.9 5 Lesotho 36.0 37.4 42.2 42.7 41.1 40.1 6 Malawi 35.1 44.0 53.4 72.9 57.9 48.6 7 Mozambique 38.2 39.2 42.7 47.8 51.4 53.6 8 Namibia 15.5 25.1 23.8 27.8 27.6 9 Rwanda 14.5 18.0 17.1 28.7 29.1
10 Swaziland 12.0 13.9 17.4 17.8 17.2 11 Tanzania 40.9 43.6 39.5 39.9 42.1 12 Uganda 23.8 28.7 26.2 33.3 34.7 26.0 13 Zambia 29.3 25.4 30.8 34.1 35.1 41.9 14 Zimbabwe 94.3 90.3 56.7 55.2 58.5
Source: MEFMI Macro Statistics bulletin December 2013, Global Finance website - www.gfmag.com/global-data/country-data/ , & Trading Economics website - www.tradingeconomics.com
* Estimate
Source: MEFMI Macro Statistics bulletin December 2013, Global Finance website - www.gfmag.com/global-data/country-data/, & Trading Economics website - www.tradingeconomics.com
0
10
20
30
40
50
60
70
80
90
100Percentage
MEFMI Countries
2010
2011
2012
2013
2014
Figure 26: MEFMI Countries Debt to GDP Ratio (Year 2010 to 2014)
74
Appendix 3: Cover letter
Mr/Ms. ………………………..
Title ……………………………
Debt Management Office
Address ……………………….
Email: …………………………
18th March 2016
Dear ………………………..,
RE: QUESTIONNAIRE ON OPERATIONAL RISK MANAGEMENT OF GOVERNMENT DEBT OPERATIONS
I work at the Central Bank of Kenya, Internal Audit Department and I am pursuing a fellowship with MEFMI in Public Debt Management. I am currently researching on operational risk management principles and framework for government debt management, with a view to contributing to practical implementation in the MEFMI region.
The objective of the research will be to determine the current level of implementation of operational risk management principles and frameworks. I also plan to identify the gaps, and the causes of those gaps, to sound operational risk governance and the appropriate risk management environment in the debt management units within the MEFMI member countries.
I would therefore be very grateful if you would kindly spare a few minutes from your busy schedule to complete the attached questionnaire and return it by 30th June 2016. You might find it convenient to give the questionnaire to the official responsible in your office for operational risk management or risk management more generally. If you could kindly let me know who it is, that would be very helpful: I will be able to contact them to see if they have any problems or questions.
If you have any queries about this work please do not hesitate to contact me, or my mentor, Mr. Mike Williams an independent consultant on government debt management on email address: [email protected]
Thank you for your kind attention. I look forward to hearing from you.
Yours faithfully,
Olive Gitau
Internal Audit Department, Central Bank of Kenya
Tel: +254202861055/6, Mobile: +254733712733, Email: [email protected]
75
Appendix 4: Questionnaire
MEFMI COUNTRIES OPERATIONAL RISK MANAGEMENT QUESTIONNAIRE FOR GOVERNMENT DEBT MANAGEMENT
Country of residence
Name (Optional)
Designation (position held)
Please tick [√] appropriately
1. Do you work in the Debt Management Office (DMO)?
□ Yes □ No
Note: DMO is used to refer to the government principal debt management unit
2. What is your level of management at the DMO? Functional Head (such as Head Middle Office)
Line Manager (such as Risk Management Manager)
Expert / Specialist
Other
3. Is the structure of your Debt Management Office divided into: a) Front office – resource mobilization; b) Middle office - strategy and risk management; & c) Back office – debt records, transactions and payment processing
□ Yes □ No
If No, what is the structure? Kindly specify
4. Who performs the following principal debt management functions in your country?
This technical paper is aimed at providing an operational risk management framework roadmap for government debt management in MEFMI Region. Kindly provide the most accurate information. It should take you approximately 20 minutes to fill this questionnaire. All feedback shall be treated with absolute confidentiality. Thank you.
76
Functions Ministry DMO, Central Bank Other body (please specify)
1. Domestic securities borrowing
2. External securities borrowing (such as, sovereign bond)
3. External loans and credit
4. Strategy and Risk Management
5. Debt records, transaction and payment processing
If managed from different offices, kindly explain
5. Where some of the above functions are carried out by a government’s agent such as the Central Bank or other body, is there a signed agency agreement or a service level agreement between the two parties?
□ Yes □ No □ Not sure
Operational risk management is a facet of risk management that focuses on identifying, assessing, controlling and mitigating operational risks. Operational risk is anything that can cause loss resulting from inadequate or failed internal processes, people and systems or from external events. These risks are managed through policies and should outline management and staff responsibilities and identify controls for managing the processes, people and systems.
6. Has your country Debt Management Office carried out a Debt Management Performance Assessment (DeMPA)?
□ Yes □ No
If yes, in which year? (You can √ tick more than one if applicable)
Year 2015 2014 2013 2012 2011 2010 Prior Year, Specify
Tick (√)
Objective 1: To establish the current level of implementation of operational risk management principles in the DMU in each MEFMI member country.
77
Using your most recent DeMPA report, kindly provide feedback on the following questions:
(√ tick the correct score)
7. What was the score for Debt Performance Indicator (DPI) – 5 Audit?
DPI-5 A B C D NR
a) Dimension 1. Frequency and comprehensiveness of financial audits, compliance audits and performance audits (of the effectiveness and efficiency of government DeM operations, including the internal control system and its effectiveness) as well as publication of the external audit reports
b) Dimension 2. Degree of commitment to address the outcomes from the audits
Reasons
8. What was the score for DPI – 12 Debt Administration and Data Security?
DPI-12 A B C D NR
a) Dimension 1. Availability and quality of documented procedures for the processing of debt – related payments
b) Dimension 2. Availability and quality of documented procedures for debt and transaction data recording and validation, as well as storage of agreements and debt administration records
c) Dimension 3. Availability and quality of documented procedures for controlling access to the central government’s debt data recording and management system and audit trail
d) Dimension 4. Frequency and off-site, secure storage of debt recording and management system backups
Reasons
9. What was the score for DPI – 13 Segregation of Duties, Staff Capacity and Business Continuity?
78
DPI-13 A B C D NR
a) Dimension 1. Segregation of duties for some key functions as well as the presence of a risk monitoring and compliance function
b) Dimension 2. Staff capacity and human resource management
c) Dimension 3. Presence of an operational risk management plan, including business continuity and disaster recovery arrangements
Reasons
10. Do you carry out the following functions in your DMO?
Functions Yes No
a) Risk Management (market, credit & refinancing risk)
b) Operational risk management
If No, please give reasons
If Yes, who is responsible for overall risk management and operational risk management? (You can √ tick more than one where applicable) □ Middle office □ Risk champion/ specialist/ coordinator □ Line manager (functional/business area manager) □ Operational risk management unit □ Risk Monitoring Unit □ Other, Specify
Objective 2: To identify key gaps and causes for those gaps to sound operational risk governance practices and appropriate risk management environment in the DMU of each MEFMI member country.
79
11. Are you familiar with operational risk management?
□ Yes □ No □ Not sure
Examples of operational risks
Operational Risks
1. Internally supported systems failures – such as IT software or hardware failure
2. Poor maintenance of systems and power outages
3. Network failure
4. Human error (due to poor training or inadequate supervision)
5. Execution of unauthorized transactions & activities
6. Key person risk
7. Fraudulent, corrupt or dishonest practices (theft, fraud)
8. Poor process design and incomplete data
9. Policy and analysis failures
10. Physical security failures
11. Inadequate and unclear documentation
12. Failure to follow regulation & legislation
13. Weak governance structures
14. Failure of key service providers such as suppliers, outsourcers or agents
15. Business continuity events – fire, terrorism & other natural disasters
16. Externally supported systems failure e.g. internet providers
17. System attack (hacking)
12. The following principles for operational risk management in your debt management
office have been developed and implemented. Give a rating of 1 to 5 Key 1. Strongly Agree 4. Disagree 2. Agree 5. Strongly Disagree 3. Neutral
Principles 1 2 3 4 5
1. Sound operational risk governance practices
80
a) Line managers (in all debt management functions) are responsible for identifying and managing risks in their functions
b) There is an independent operational risk management function
c) There is an independent review by internal and external audit of debt management operations
d) There is a strong risk culture and good communication on operational risk management
2. Appropriate risk management environment
a) Senior management are aware of the major operational risk exposures, approve and periodically review the ORM framework.
b) Senior management safeguard independent audit arrangements that act as a check mechanism on the operational risks of the debt management operations
c) The Minister or Head of DMU has taken lead in establishing a strong risk management culture
d) Comprehensive and regular internal audit of the operational risk management framework is done by independent, trained and competent staff
e) There is clarity of roles, responsibilities and objectives of government institutions responsible for debt management and respective operational risk management
f) An annual report is prepared to inform the legislature and the public on the outcomes of debt management strategy and operations
g) Annual external audits of debt management activities, information technology and risk control procedures is done
13. Three drivers of operational risk management influence the design and acceptance of
operational risk management framework in the debt management office. a) Governance b) Culture and awareness c) Policies and procedures
Indicate a rating of 1 to 5 for the following statements as applied in your debt management office.
Key 1. Strongly Agree 4. Disagree 2. Agree 5. Strongly Disagree 3. Neutral
Drivers 1 2 3 4 5
1. Governance
a) Operational risk management function is independent, important and relevant to the debt management office
81
b) Operational risk management function lies within the middle office of the debt management office with other risk management functions
c) Operational risk management function reports directly to Head of Debt Management Office
d) Operational risk management function reports directly to the Ministry’s Chief Risk Officer
e) Operational risk management function reports directly to Audit
f) There are operational risk coordinators or champions in every debt management unit who have regular communication with the central operational risk team
g) Operational risk function owns business continuity planning (from damage to physical assets and business disruptions and system failures)
2. Culture and awareness
h) There is a change program designed to identify, assess, monitor, control and mitigate operational risks
i) Operational risk function has undertaken proactive communication, careful planning and excellent training to promote and communicate the operational risk management framework
j) To facilitate culture change, an effective institution wide training module to educate on importance of operational risk management, role of operational risk team and coordinators was delivered
3. Policies and procedures
k) There is an operational risk policy (could be part of the overall risk management policy) on government debt management.
l) Policies and procedures in place cover the minimum requirements for incident reporting, risk and control self-assessment, scenario analysis and key risk indicators programs
14. What are some of the constraints to the implementation of the above drivers in your DMO? (You can √ tick more than one where applicable)
Reasons Tick
1. Limited / inadequate resources
2. Lack of knowledge/understanding
3. Poor risk culture and awareness
4. Lack of involvement and participation of all staff
5. Inadequate policies and procedures on operational risk management
82
6. Poor sound operational risk governance practices
7. Inadequate managerial structure
8. Inadequate policies and structures on internal and external audit of debt operations
Other reasons
Operational risk management framework is an approach for managing operational risks within an institution.
15. Is there an operational risk management framework in your debt management office? □ Yes □ No □ Not sure
If No, please give reasons
If Yes, please continue
16. How do you rate the implementation of the operational risk management framework in your debt management office? Key 1. Strongly Agree 4. Disagree 2. Agree 5. Strongly Disagree 3. Neutral
ORM Framework 1 2 3 4 5
1. Understand and document business activities
a) The debt management operations are understood and documented into activities and processes
b) Each debt management function has a stated objective and key risks identified
Objective 3: To determine the existence of operational risk management framework with the specific programmes used in the DMU of each MEFMI member country for effective operational risks management.
83
2. Risk identification and assessment
c) There is rating on likelihood and impact of the risks identified
d) Engagement workshops and discussions for each debt management function have been applied to ensure all staff involvement to develop risk understanding and culture in the DMO
3. Risk response and controls
e) There is a clear response to the risks identified and application of controls
f) Through i. Risk avoidance – for example, to avoid the key
person risk, more staff have been trained and exposed to the actual job
ii. Transfer of risk – to third party such as insurer (insurance against theft and loss)
iii. Mitigation and control of risk – for example, having a back-up generator to reduce impact of power disruption
iv. Risk acceptance – for example, having a disaster recovery plan (DRP) that is regularly tested to ensure resumption of operations in the event of a disruption
4. Implementation process
g) There is training for debt management staff and managers to understand their roles and ensure compliance with operational risk management policies and procedures
h) Risk awareness with external parties to cover all activities external to DMO (such as the Ministry’s IT function)
i) Mitigation strategies and controls are documented in procedures and monitored by DMO risk monitoring unit /champion
j) There is a developed BCP and DRP with annual testing
5. Monitoring and reporting performance
k) There is monitoring of key risks identified, assessed and sources of the risks by debt managers and risk monitoring unit/champion
l) Regular reporting to senior management on key risks, significant incidents and a review process is in place
6. Continuous improvement
m) There is an increase in risk awareness to all staff
n) There is full and visible support of senior management
84
17. How familiar are you to any of the following tools/techniques/methods of applying the operational risk management framework? Key 1. Highly familiar 4. Hardly familiar 2. Familiar 5. Not at all familiar 3. Neutral
Programs 1 2 3 4 5
1. Incident Reporting
2. Risk and Control Self-Assessment (RCSA)
3. Scenario Analysis
4. Key Risk Indicators (KRIs)
5. Effective Reporting – on operational risks and action taken
6. Other, please specify
18. Does your DMO utilise any of these operational risk management framework tools?
Which one? □ Incident Reporting □ Risk and Control Self-Assessment (RCSA) □ Scenario Analysis □ Key Risk Indicators (KRIs) □ Effective Reporting □ Other, please specify
19. Kindly provide any other observations you may have on the practice of operational risk management in your debt management office.
THANK YOU FOR TAKING TIME TO COMPLETE THIS QUESTIONNAIRE.
PLEASE FORWARD IT TO OLIVE GITAU ON EMAIL: [email protected]
Should you have any queries, please contact Olive Gitau on Telephone Number +254202861055 or email above.